Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0442.pdf.exe

Overview

General Information

Sample name:0442.pdf.exe
renamed because original name is a hash value
Original sample name: .pdf.exe
Analysis ID:1580689
MD5:4f6b2b9ee57c50d6c505d0cdada4803e
SHA1:ad7dee6f1f71c4fe6299170a160592f139390e12
SHA256:62410e8399acf7834c74012783bde3fe9ff244e048141c4a96a65bec06895f37
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Connects to many ports of the same IP (likely port scanning)
Enables network access during safeboot for specific services
Enables remote desktop connection
Initial sample is a PE file and has a suspicious name
Uses an obfuscated file name to hide its real file extension (double extension)
Uses ping.exe to check the status of other devices and networks
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 0442.pdf.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\0442.pdf.exe" MD5: 4F6B2B9EE57C50D6C505D0CDADA4803E)
    • msiexec.exe (PID: 7520 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qn MD5: E5DA170027542E25EDE42FC54C929077)
    • cmd.exe (PID: 7528 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 7920 cmdline: ping 8.8.8.8 MD5: 2F46799D79D22AC72C241EC0322B011D)
    • Acrobat.exe (PID: 7556 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 8024 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 7216 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1540,i,18215150213972139035,17261459285525738276,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
    • Acrobat.exe (PID: 7664 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
  • msiexec.exe (PID: 7608 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • ROMFUSClient.exe (PID: 7440 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall MD5: 63D0964168B927D00064AA684E79A300)
      • ROMServer.exe (PID: 8308 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall MD5: F3D74B072B9697CF64B0B8445FDC8128)
    • ROMFUSClient.exe (PID: 8344 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall MD5: 63D0964168B927D00064AA684E79A300)
      • ROMServer.exe (PID: 8392 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall MD5: F3D74B072B9697CF64B0B8445FDC8128)
    • ROMFUSClient.exe (PID: 8480 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start MD5: 63D0964168B927D00064AA684E79A300)
      • ROMServer.exe (PID: 8516 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start MD5: F3D74B072B9697CF64B0B8445FDC8128)
  • svchost.exe (PID: 8096 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • ROMServer.exe (PID: 8532 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" MD5: F3D74B072B9697CF64B0B8445FDC8128)
    • ROMFUSClient.exe (PID: 8668 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 8692 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 8700 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 8784 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 8868 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 8900 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 8964 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 8516 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 5292 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 980 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          0000000C.00000000.1785110285.0000000000401000.00000020.00000001.01000000.0000000B.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            0000000D.00000000.1792887318.0000000000401000.00000020.00000001.01000000.0000000C.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              13.0.ROMServer.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                12.0.ROMFUSClient.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspicious Double Extension File Execution
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\0442.pdf.exe", CommandLine: "C:\Users\user\Desktop\0442.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\0442.pdf.exe, NewProcessName: C:\Users\user\Desktop\0442.pdf.exe, OriginalFileName: C:\Users\user\Desktop\0442.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\0442.pdf.exe", ProcessId: 7428, ProcessName: 0442.pdf.exe
                  Sigma detected: Communication To Uncommon Destination Ports
                  Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 101.99.91.150, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: , Initiated: true, ProcessId: , Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49977
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8096, ProcessName: svchost.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: 0442.pdf.exeVirustotal: Detection: 47%Perma Link
                  Source: 0442.pdf.exeReversingLabs: Detection: 26%
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtfJump to behavior
                  Source: 0442.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 0442.pdf.exe
                  Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: c:
                  Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FEB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF600FEB190
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FD40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF600FD40BC
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FFFCA0 FindFirstFileExA,0_2_00007FF600FFFCA0
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\SysWOW64\wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\SysWOW64\winspool.drv
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\SysWOW64\
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\SysWOW64\winmm.dll

                  Networking

                  barindex
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 101.99.91.150 ports 5651,8080,1,5,6,80
                  Enables network access during safeboot for specific services
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeRegistry value created: NULL Service
                  Uses ping.exe to check the status of other devices and networks
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.8.8
                  Source: global trafficTCP traffic: 192.168.2.4:49746 -> 101.99.91.150:5651
                  Source: Joe Sandbox ViewASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                  Source: svchost.exe, 00000009.00000002.2934887641.000001AFCD800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: svchost.exe, 00000009.00000003.1709569323.000001AFCDA18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                  Source: svchost.exe, 00000009.00000003.1709569323.000001AFCDA18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                  Source: svchost.exe, 00000009.00000003.1709569323.000001AFCDA18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                  Source: svchost.exe, 00000009.00000003.1709569323.000001AFCDA18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                  Source: svchost.exe, 00000009.00000003.1709569323.000001AFCDA18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                  Source: svchost.exe, 00000009.00000003.1709569323.000001AFCDA18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                  Source: svchost.exe, 00000009.00000003.1709569323.000001AFCDA4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                  Source: svchost.exe, 00000009.00000003.1709569323.000001AFCDA91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: ROMFUSClient.exe, 0000000C.00000000.1788377420.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000D.00000000.1794843487.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, ROMServer.exe, 00000012.00000002.2933625053.000000000176C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.2933461192.000000000288C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.2933461192.000000000278C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://litemanager.com/
                  Source: ROMFUSClient.exe, 00000015.00000002.2933461192.0000000002893000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://litemanager.com/03
                  Source: ROMServer.exe, 00000012.00000002.2933625053.0000000001773000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://litemanager.com/03w
                  Source: ROMServer.exe, 00000012.00000002.2933625053.000000000176C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.2933461192.000000000288C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://litemanager.com/1
                  Source: ROMFUSClient.exe, 0000000C.00000000.1788377420.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000D.00000000.1794843487.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, Russian.lg.5.drString found in binary or memory: http://litemanager.ru/
                  Source: ROMServer.exe, 0000000D.00000000.1792887318.0000000000401000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://litemanager.ru/noip.txtU
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drString found in binary or memory: http://ocsp.thawte.com0
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drString found in binary or memory: http://s2.symcb.com0
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drString found in binary or memory: http://sv.symcd.com0&
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                  Source: ROMFUSClient.exe, 0000000C.00000003.1802761701.0000000002797000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000C.00000000.1785110285.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000D.00000000.1792887318.0000000000951000.00000020.00000001.01000000.0000000C.sdmp, ROMServer.exe, 0000000D.00000003.1796931420.0000000002A27000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000E.00000003.1817573851.0000000002787000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000F.00000003.1815885695.0000000002A67000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000010.00000003.1852583819.00000000028C7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000011.00000003.1847150962.00000000029E7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000012.00000002.2933625053.00000000016D7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000002.2932912602.0000000002847000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.2933461192.00000000027F7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000016.00000003.1850601689.0000000002997000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000017.00000003.1859519529.0000000002777000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000018.00000003.1870495257.0000000002897000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000019.00000003.1879725536.00000000028B7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000001A.00000003.1892234791.00000000026C7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000001E.00000003.2288286803.0000000002917000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drString found in binary or memory: http://www.symauth.com/cps0(
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drString found in binary or memory: http://www.symauth.com/rpa00
                  Source: 2D85F72862B55C4EADD9E66E06947F3D0.8.drString found in binary or memory: http://x1.i.lencr.org/
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drString found in binary or memory: https://d.symcb.com/cps0%
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drString found in binary or memory: https://d.symcb.com/rpa0
                  Source: svchost.exe, 00000009.00000003.1709569323.000001AFCDAC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                  Source: svchost.exe, 00000009.00000003.1709569323.000001AFCDB1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                  Source: svchost.exe, 00000009.00000003.1709569323.000001AFCDAC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                  Source: svchost.exe, 00000009.00000003.1709569323.000001AFCDAA3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1709569323.000001AFCDAC2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1709569323.000001AFCDAE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                  Source: svchost.exe, 00000009.00000003.1709569323.000001AFCDAC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                  Source: ROMFUSClient.exe, 0000000C.00000000.1785110285.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000D.00000000.1792887318.0000000000401000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: https://litemanager.com/romversion.txt
                  Source: ROMFUSClient.exe, 0000000C.00000000.1785110285.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000D.00000000.1792887318.0000000000401000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: https://litemanager.com/soft/pro/ROMServer.zip
                  Source: svchost.exe, 00000009.00000003.1709569323.000001AFCDAC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                  Source: svchost.exe, 00000009.00000003.1709569323.000001AFCDA56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

                  System Summary

                  barindex
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: 0442.pdf.exe
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FCC2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF600FCC2F0
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5511f4.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{71FFA475-24D5-44FB-A51F-39B699E3D82C}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI186C.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5511f7.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5511f7.msiJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\5511f7.msiJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FEB1900_2_00007FF600FEB190
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FE34840_2_00007FF600FE3484
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FDA4AC0_2_00007FF600FDA4AC
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FCF9300_2_00007FF600FCF930
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FD49280_2_00007FF600FD4928
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FF07540_2_00007FF600FF0754
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FECE880_2_00007FF600FECE88
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FE1F200_2_00007FF600FE1F20
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FC5E240_2_00007FF600FC5E24
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FD126C0_2_00007FF600FD126C
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FC72880_2_00007FF600FC7288
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FCC2F00_2_00007FF600FCC2F0
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FCA3100_2_00007FF600FCA310
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FDF1800_2_00007FF600FDF180
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FE21D00_2_00007FF600FE21D0
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FDB5340_2_00007FF600FDB534
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FE53F00_2_00007FF600FE53F0
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FC76C00_2_00007FF600FC76C0
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6010025500_2_00007FF601002550
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FC48400_2_00007FF600FC4840
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FFC8380_2_00007FF600FFC838
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FD1A480_2_00007FF600FD1A48
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FFFA940_2_00007FF600FFFA94
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FC1AA40_2_00007FF600FC1AA4
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FE2AB00_2_00007FF600FE2AB0
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF601005AF80_2_00007FF601005AF8
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FE39640_2_00007FF600FE3964
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FDC96C0_2_00007FF600FDC96C
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FF89A00_2_00007FF600FF89A0
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FD5B600_2_00007FF600FD5B60
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FDBB900_2_00007FF600FDBB90
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FE4B980_2_00007FF600FE4B98
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FF8C1C0_2_00007FF600FF8C1C
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FDAF180_2_00007FF600FDAF18
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FE2D580_2_00007FF600FE2D58
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FE8DF40_2_00007FF600FE8DF4
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FF07540_2_00007FF600FF0754
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6010020800_2_00007FF601002080
                  Source: ROMViewer.exe.5.drStatic PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                  Source: ROMServer.exe.5.drStatic PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                  Source: ROMServer.exe0.5.drStatic PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                  Source: ROMServer.exe.5.drStatic PE information: Number of sections : 11 > 10
                  Source: ROMFUSClient.exe.5.drStatic PE information: Number of sections : 11 > 10
                  Source: ROMServer.exe0.5.drStatic PE information: Number of sections : 11 > 10
                  Source: ROMViewer.exe.5.drStatic PE information: Number of sections : 11 > 10
                  Source: ROMViewer.exe.5.drStatic PE information: Resource name: RT_RCDATA type: Delphi compiled form 'TfmEditBinaryValue'
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C8A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 0442.pdf.exe
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C894000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 0442.pdf.exe
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C800000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 0442.pdf.exe
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C800000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSetAllUsers.dll< vs 0442.pdf.exe
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameISRegSvr.dll vs 0442.pdf.exe
                  Source: 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C886000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 0442.pdf.exe
                  Source: classification engineClassification label: mal88.troj.evad.winEXE@60/94@1/3
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FCB6D8 GetLastError,FormatMessageW,LocalFree,0_2_00007FF600FCB6D8
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FE8624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00007FF600FE8624
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - ServerJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journalJump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ROMFUSLocal
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ROMFUSTray
                  Source: C:\Users\user\Desktop\0442.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5573656Jump to behavior
                  Source: Yara matchFile source: 13.0.ROMServer.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.ROMFUSClient.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000000.1785110285.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000000.1792887318.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe, type: DROPPED
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "
                  Source: 0442.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Users\user\Desktop\0442.pdf.exeFile read: C:\Windows\win.iniJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 0442.pdf.exeVirustotal: Detection: 47%
                  Source: 0442.pdf.exeReversingLabs: Detection: 26%
                  Source: C:\Users\user\Desktop\0442.pdf.exeFile read: C:\Users\user\Desktop\0442.pdf.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\0442.pdf.exe "C:\Users\user\Desktop\0442.pdf.exe"
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qn
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf"
                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.8.8
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1540,i,18215150213972139035,17261459285525738276,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
                  Source: unknownProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe"
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qnJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "Jump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf"Jump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.8.8Jump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstallJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewallJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /startJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1540,i,18215150213972139035,17261459285525738276,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: dxgidebug.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: dlnashext.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wpdshext.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: propsys.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: edputil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: urlmon.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iertutil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: srvcli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wintypes.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: appresolver.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: bcp47langs.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: slc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sppc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: apphelp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: pcacli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sfc_os.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: apphelp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avifil32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: propsys.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: edputil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: urlmon.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iertutil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: srvcli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wintypes.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: appresolver.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: bcp47langs.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: slc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sppc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: pcacli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sfc_os.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avifil32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: firewallapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: fwbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sxs.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: propsys.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: edputil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: urlmon.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iertutil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: srvcli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wintypes.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: appresolver.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: bcp47langs.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: slc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sppc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: pcacli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sfc_os.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avifil32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avifil32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msxml6.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: mswsock.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: avicap32.dll
                  Source: C:\Users\user\Desktop\0442.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                  Source: Start LM-Server.lnk.5.drLNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                  Source: Uninstall LiteManager - Server.lnk.5.drLNK file: ..\..\..\..\..\..\Windows\SysWOW64\msiexec.exe
                  Source: Stop LM-Server.lnk.5.drLNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                  Source: Settings for LM-Server.lnk.5.drLNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: 0442.pdf.exeStatic PE information: Image base 0x140000000 > 0x60000000
                  Source: 0442.pdf.exeStatic file information: File size 11409543 > 1048576
                  Source: 0442.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 0442.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 0442.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 0442.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 0442.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 0442.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 0442.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: 0442.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 0442.pdf.exe
                  Source: 0442.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: 0442.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: 0442.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: 0442.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: 0442.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\0442.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5573656Jump to behavior
                  Source: 0442.pdf.exeStatic PE information: section name: .didat
                  Source: 0442.pdf.exeStatic PE information: section name: _RDATA
                  Source: ROMViewer.exe.5.drStatic PE information: section name: .didata
                  Source: ROMFUSClient.exe.5.drStatic PE information: section name: .didata
                  Source: ROMwln.dll.5.drStatic PE information: section name: .didata
                  Source: ROMServer.exe.5.drStatic PE information: section name: .didata
                  Source: HookDrv.dll.5.drStatic PE information: section name: .didata
                  Source: ROMServer.exe0.5.drStatic PE information: section name: .didata
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF601005156 push rsi; retf 0_2_00007FF601005157
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF601005166 push rsi; retf 0_2_00007FF601005167
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtfJump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\romserver.exe
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - ServerJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Start LM-Server.lnkJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Uninstall LiteManager - Server.lnkJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Stop LM-Server.lnkJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Settings for LM-Server.lnkJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Icon mismatch, binary includes an icon from a different legit application in order to fool users
                  Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (132).png
                  Uses an obfuscated file name to hide its real file extension (double extension)
                  Source: Possible double extension: pdf.exeStatic PE information: 0442.pdf.exe
                  Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\LiteManager\v3.4\Server\Parameters NoIPSettingsJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeWindow / User API: threadDelayed 2905
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeWindow / User API: threadDelayed 6863
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exeJump to dropped file
                  Source: C:\Windows\System32\svchost.exe TID: 8184Thread sleep time: -30000s >= -30000s
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe TID: 8628Thread sleep count: 46 > 30
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe TID: 8628Thread sleep time: -230000s >= -30000s
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe TID: 8536Thread sleep count: 50 > 30
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe TID: 8812Thread sleep time: -1452500s >= -30000s
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe TID: 8812Thread sleep time: -3431500s >= -30000s
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeLast function: Thread delayed
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FEB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF600FEB190
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FD40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF600FD40BC
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FFFCA0 FindFirstFileExA,0_2_00007FF600FFFCA0
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FF16A4 VirtualQuery,GetSystemInfo,0_2_00007FF600FF16A4
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\SysWOW64\wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\SysWOW64\winspool.drv
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\SysWOW64\
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\SysWOW64\winmm.dll
                  Source: ROMFUSClient.exe, 00000019.00000002.1880989027.0000000000C58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
                  Source: ROMFUSClient.exe, 00000010.00000002.1855010039.0000000000D68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: svchost.exe, 00000009.00000002.2935157808.000001AFCD851000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2932704195.000001AFC822B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: ROMFUSClient.exe, 0000000E.00000003.1818158323.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                  Source: ROMServer.exe, 00000012.00000002.2932096301.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000002.2931991528.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.2931989175.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 00000016.00000002.1852594027.0000000000CD2000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 00000017.00000002.1866692616.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 00000018.00000002.1871997145.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 0000001A.00000002.1893623088.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 0000001D.00000002.1974073612.0000000000D68000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 0000001E.00000002.2289898604.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 0000001F.00000002.2417059111.0000000000D28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FF3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF600FF3170
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF601000D20 GetProcessHeap,0_2_00007FF601000D20
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess token adjusted: Debug
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /startJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FF3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF600FF3170
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FF2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF600FF2510
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FF3354 SetUnhandledExceptionFilter,0_2_00007FF600FF3354
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FF76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF600FF76D8
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FEB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF600FEB190
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qnJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "Jump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf"Jump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.8.8Jump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6010058E0 cpuid 0_2_00007FF6010058E0
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00007FF600FEA2CC
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FF0754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF600FF0754
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF600FD51A4 GetVersionExW,0_2_00007FF600FD51A4

                  Remote Access Functionality

                  barindex
                  Enables remote desktop connection
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server AllowRemoteRPC

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		1
                  Replication Through Removable Media                  		Windows Management Instrumentation1
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		1
                  Disable or Modify Tools                  		OS Credential Dumping1
                  System Time Discovery                  		1
                  Remote Desktop Protocol                  		1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Obfuscated Files or Information                  		LSASS Memory11
                  Peripheral Device Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt1
                  Windows Service                  		1
                  Windows Service                  		1
                  Software Packing                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Registry Run Keys / Startup Folder                  		11
                  Process Injection                  		1
                  DLL Side-Loading                  		NTDS65
                  System Information Discovery                  		Distributed Component Object ModelInput Capture1
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                  Registry Run Keys / Startup Folder                  		1
                  File Deletion                  		LSA Secrets31
                  Security Software Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts222
                  Masquerading                  		Cached Domain Credentials2
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Modify Registry                  		DCSync1
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                  Virtualization/Sandbox Evasion                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  Remote System Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580689 Sample: 0442.pdf.exe Startdate: 25/12/2024 Architecture: WINDOWS Score: 88 62 x1.i.lencr.org 2->62 64 edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->64 66 default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->66 74 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 Sigma detected: Suspicious Double Extension File Execution 2->78 80 3 other signatures 2->80 9 ROMServer.exe 2->9         started        13 msiexec.exe 99 61 2->13         started        16 0442.pdf.exe 6 11 2->16         started        18 svchost.exe 2->18         started        signatures3 process4 dnsIp5 68 101.99.91.150, 49746, 49747, 49748 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 9->68 82 Enables remote desktop connection 9->82 84 Enables network access during safeboot for specific services 9->84 20 ROMFUSClient.exe 9->20         started        37 9 other processes 9->37 54 C:\Program Files (x86)\...\ROMServer.exe, PE32 13->54 dropped 56 stop_server_51B516...3C56354EA2277C2.exe, PE32 13->56 dropped 58 config_server_B6BD...764F06ADFFD6458.exe, PE32 13->58 dropped 60 9 other files (none is malicious) 13->60 dropped 22 ROMFUSClient.exe 13->22         started        24 ROMFUSClient.exe 13->24         started        26 ROMFUSClient.exe 13->26         started        28 cmd.exe 1 16->28         started        31 Acrobat.exe 72 16->31         started        33 Acrobat.exe 41 16->33         started        35 msiexec.exe 16->35         started        70 127.0.0.1 unknown unknown 18->70 file6 signatures7 process8 signatures9 39 ROMServer.exe 22->39         started        41 ROMServer.exe 24->41         started        43 ROMServer.exe 26->43         started        86 Uses ping.exe to check the status of other devices and networks 28->86 45 PING.EXE 1 28->45         started        48 conhost.exe 28->48         started        50 AcroCEF.exe 103 31->50         started        process10 dnsIp11 72 8.8.8.8 GOOGLEUS United States 45->72 52 AcroCEF.exe 50->52         started        process12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  0442.pdf.exe47%VirustotalBrowse
                  0442.pdf.exe26%ReversingLabsWin64.Trojan.Uztuby

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll0%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll0%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe3%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe8%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll0%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe3%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe3%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe0%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe0%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe0%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe0%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://litemanager.com/030%Avira URL Cloudsafe
                  http://litemanager.com/10%Avira URL Cloudsafe
                  http://litemanager.com/03w0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                  		217.20.58.100
                  		truefalse
                    		high
                    x1.i.lencr.org
                    		unknown
                    		unknownfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://litemanager.com/1ROMServer.exe, 00000012.00000002.2933625053.000000000176C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.2933461192.000000000288C000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://litemanager.ru/ROMFUSClient.exe, 0000000C.00000000.1788377420.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000D.00000000.1794843487.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, Russian.lg.5.drfalse
                        		high
                        https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000009.00000003.1709569323.000001AFCDB1A000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.8.drfalse
                            		high
                            https://litemanager.com/soft/pro/ROMServer.zipROMFUSClient.exe, 0000000C.00000000.1785110285.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000D.00000000.1792887318.0000000000401000.00000020.00000001.01000000.0000000C.sdmpfalse
                              		high
                              http://litemanager.com/03ROMFUSClient.exe, 00000015.00000002.2933461192.0000000002893000.00000004.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://g.live.com/odclientsettings/ProdV2svchost.exe, 00000009.00000003.1709569323.000001AFCDAC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://litemanager.com/romversion.txtROMFUSClient.exe, 0000000C.00000000.1785110285.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000D.00000000.1792887318.0000000000401000.00000020.00000001.01000000.0000000C.sdmpfalse
                                  		high
                                  http://crl.thawte.com/ThawteTimestampingCA.crl00442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drfalse
                                    		high
                                    https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000009.00000003.1709569323.000001AFCDAC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.symauth.com/rpa000442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drfalse
                                        		high
                                        http://ocsp.thawte.com00442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drfalse
                                          		high
                                          http://litemanager.ru/noip.txtUROMServer.exe, 0000000D.00000000.1792887318.0000000000401000.00000020.00000001.01000000.0000000C.sdmpfalse
                                            		high
                                            http://crl.ver)svchost.exe, 00000009.00000002.2934887641.000001AFCD800000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000009.00000003.1709569323.000001AFCDAA3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1709569323.000001AFCDAC2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1709569323.000001AFCDAE8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://litemanager.com/ROMFUSClient.exe, 0000000C.00000000.1788377420.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000D.00000000.1794843487.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, ROMServer.exe, 00000012.00000002.2933625053.000000000176C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.2933461192.000000000288C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.2933461192.000000000278C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://litemanager.com/03wROMServer.exe, 00000012.00000002.2933625053.0000000001773000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.indyproject.org/ROMFUSClient.exe, 0000000C.00000003.1802761701.0000000002797000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000C.00000000.1785110285.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000D.00000000.1792887318.0000000000951000.00000020.00000001.01000000.0000000C.sdmp, ROMServer.exe, 0000000D.00000003.1796931420.0000000002A27000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000E.00000003.1817573851.0000000002787000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000F.00000003.1815885695.0000000002A67000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000010.00000003.1852583819.00000000028C7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000011.00000003.1847150962.00000000029E7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000012.00000002.2933625053.00000000016D7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000002.2932912602.0000000002847000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.2933461192.00000000027F7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000016.00000003.1850601689.0000000002997000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000017.00000003.1859519529.0000000002777000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000018.00000003.1870495257.0000000002897000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000019.00000003.1879725536.00000000028B7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000001A.00000003.1892234791.00000000026C7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000001E.00000003.2288286803.0000000002917000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.symauth.com/cps0(0442.pdf.exe, 00000000.00000003.1676873311.000001A06C87A000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1676873311.000001A06C83C000.00000004.00000020.00020000.00000000.sdmp, 5511f4.msi.5.dr, ms.msi.0.dr, 5511f7.msi.5.drfalse
                                                      		high
                                                      https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000009.00000003.1709569323.000001AFCDAC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        8.8.8.8
                                                        		unknownUnited States
                                                        		15169GOOGLEUSfalse
                                                        101.99.91.150
                                                        		unknownMalaysia
                                                        		45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYtrue

                                                        Private

                                                        IP
                                                        127.0.0.1

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1580689
                                                        Start date and time:2024-12-25 17:13:40 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 7m 23s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Run name:Potential for more IOCs and behavior
                                                        Number of analysed new started processes analysed:33
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:0442.pdf.exe
                                                        renamed because original name is a hash value
                                                        Original Sample Name: .pdf.exe
                                                        Detection:MAL
                                                        Classification:mal88.troj.evad.winEXE@60/94@1/3
                                                        EGA Information:
                                                        • Successful, ratio: 50%
                                                        HCA Information:
                                                        • Successful, ratio: 100%
                                                        • Number of executed functions: 71
                                                        • Number of non-executed functions: 92
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                        • Excluded IPs from analysis (whitelisted): 23.218.208.137, 172.64.41.3, 162.159.61.3, 2.19.198.27, 23.32.239.65, 23.32.239.56, 50.16.47.176, 18.213.11.84, 34.237.241.83, 54.224.241.105, 23.218.208.109, 23.195.39.65, 23.32.238.18, 23.32.238.74, 2.20.40.170, 104.122.212.204, 23.32.239.9, 2.19.198.16, 20.109.210.53, 13.107.246.63, 4.245.163.56
                                                        • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ssl.adobe.com.edgekey.net, armmf.adobe.com, geo2.adobe.com
                                                        • Execution Graph export aborted for target ROMServer.exe, PID 8532 because there are no executed function
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        11:14:36API Interceptor2x Sleep call for process: svchost.exe modified
                                                        11:14:37API Interceptor1x Sleep call for process: Acrobat.exe modified
                                                        11:14:47API Interceptor2x Sleep call for process: AcroCEF.exe modified
                                                        11:14:48API Interceptor17x Sleep call for process: ROMServer.exe modified
                                                        11:14:50API Interceptor35309x Sleep call for process: ROMFUSClient.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        No context

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                                                        • 217.20.58.100
                                                        wUSt04rfJ0.exeGet hashmaliciousQuasarBrowse
                                                        • 217.20.58.101
                                                        #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                                                        • 217.20.58.99
                                                        AxoPac.exeGet hashmaliciousLummaCBrowse
                                                        • 217.20.58.100
                                                        [External] 120112 Manual Policies Overview Guide_ 8VM8-WZPT3L-LYH1.emlGet hashmaliciousUnknownBrowse
                                                        • 217.20.58.99
                                                        PLEASE SIGN THIS DOCUMENT - Reference number(s) 0598190575 DPR.msgGet hashmaliciousUnknownBrowse
                                                        • 217.20.58.101
                                                        lKin1m7Pf2.lnkGet hashmaliciousUnknownBrowse
                                                        • 217.20.58.99
                                                        fKdiT1D1dk.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                        • 217.20.58.100
                                                        uDTW3VjJJT.exeGet hashmaliciousLummaC, StealcBrowse
                                                        • 217.20.58.99
                                                        data.exeGet hashmaliciousUnknownBrowse
                                                        • 217.20.58.99

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY94e.exeGet hashmaliciousRemcosBrowse
                                                        • 101.99.94.64
                                                        94e.exeGet hashmaliciousRemcosBrowse
                                                        • 101.99.94.64
                                                        0442.pdf.exeGet hashmaliciousRemcosBrowse
                                                        • 101.99.94.64
                                                        file.exeGet hashmaliciousInvicta Stealer, XWormBrowse
                                                        • 101.99.92.189
                                                        http://www.recorderkorea.com/shop/proc/indb.cart.tab.php?action=ok&tab=today&type=delete&returnUrl=https://23058.hicleanly.ca/uoeujd/shuhsdy/odog/kratos/REDIRECT/Zl2jyY/compliance@yourmom.comGet hashmaliciousUnknownBrowse
                                                        • 101.99.81.34
                                                        lg1wwLsmCX.exeGet hashmaliciousUnknownBrowse
                                                        • 101.99.75.174
                                                        lg1wwLsmCX.exeGet hashmaliciousUnknownBrowse
                                                        • 101.99.75.174

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                          0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                            gBYz86HSwI.msiGet hashmaliciousUnknownBrowse
                                                              0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                                0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                                  0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                                    C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                                      0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                                        gBYz86HSwI.msiGet hashmaliciousUnknownBrowse
                                                                          0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                                            0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                                              0438.pdf.exeGet hashmaliciousUnknownBrowse

                                                                                Created / dropped Files

                                                                                C:\Config.Msi\5511f6.rbs

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:data
                                                                                Category:modified
                                                                                Size (bytes):23984
                                                                                Entropy (8bit):5.167762278036821
                                                                                Encrypted:false
                                                                                SSDEEP:192:7mC7js8t8t+CqZ+6ySyDy6ylNbywyYylygy2fhWBiBNMBiBNvBiBNq5yoio2YUgF:7H75t8t+CqZ+cNbynfhzOj3IaygyVOVi
                                                                                MD5:801EABBC877CC4A4864139B5961F8142
                                                                                SHA1:A92BCB41C17CD45CEDE3EBEA4547D09CB60C03BE
                                                                                SHA-256:96561A23CBEFD5C6A3B09DCD1421D1BBE5000EF5799FC47E305C572E63B0A52C
                                                                                SHA-512:1034ED2C21D0821A003A680EB33EBA4010FF0E86E5CB5D51DDC272E5DBF57374AEB7046C2B14844372D4E21878B630233F712409CDA28186DFA0E96FC4DA9E9E
                                                                                Malicious:false
                                                                                Preview:...@IXOS.@.....@.Y.Y.@.....@.....@.....@.....@.....@......&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}..LiteManager Pro - Server..ms.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}.....@.....@.....@.....@.......@.....@.....@.......@......LiteManager Pro - Server......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3244CDE6-6414-4399-B0D5-424562747210}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{4D4D18AA-F74D-4291-B5A9-93C3CC48B75F}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{641F154A-FEEF-4FA7-B5BF-414DB1DB8390}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{00000000-0000-0000-0000-000000000000}.@......&.{A3DC5A2F-2249-4674-BE

                                                                                C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):132032
                                                                                Entropy (8bit):6.10195829980833
                                                                                Encrypted:false
                                                                                SSDEEP:3072:sh/1J7RYdzZU4Z5tegH1q888888888888W888888888882zgP:sh/jIZPZ5tJ8888888888888W888888s
                                                                                MD5:C40455A478E0B76521130D9DAAAADC4B
                                                                                SHA1:42DE923D5E36A9F56B002DD66DB245BC44480089
                                                                                SHA-256:308085BC357BF3A3BEE0D662FCC01628E9EE2FFD478AE0F1E7140939AD99B892
                                                                                SHA-512:76ED6D763F603BCAA7FE186C0A7449E614DCDB18036F7587C6E5A11C3F3269E400E3D2062856CC280AC20C094617924783B6C360F25AF66767DCC53C2F3045C9
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Joe Sandbox View:
                                                                                • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                                • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                                • Filename: gBYz86HSwI.msi, Detection: malicious, Browse
                                                                                • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                                • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                                • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....xK............................p........ ..........................................................................\.......\...............................x#...................................................................................text...$........................... ..`.itext.............................. ..`.data...0.... ......................@....bss....xN...@...........................idata..\...........................@....edata..\............&..............@..@.reloc..x#.......$...(..............@..B.rsrc................L..............@..@....................................@..@........................................................................................................................................

                                                                                C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:Rich Text Format data, version 1, ANSI, code page 1251, default language ID 1049
                                                                                Category:dropped
                                                                                Size (bytes):58679
                                                                                Entropy (8bit):4.738446173390891
                                                                                Encrypted:false
                                                                                SSDEEP:768:bkJC7UF9eVWSlBY8Aq9CBGDtD8gX1ZDCZjewbAsCw1vPDQuJPQzusxxeCNHnPPsT:htwqueMZYU
                                                                                MD5:BAED4E7AF33F77350D454B69317EE63B
                                                                                SHA1:2B598774F0C73850A36117F29EA8DAC57BE1C138
                                                                                SHA-256:671D65183C39E53FC1759C45B105A0FBE2D3A216E4099B66D5FCF274EA625E07
                                                                                SHA-512:E740997BDECB8F907A000D01BF3E823898A1289D1DBFAE5BF342D4BCB6FF09D258317955F4FD858FF6B239E5BA08E49E90CDEC06E24DABDB18C1CF2D8943590C
                                                                                Malicious:false
                                                                                Preview:{\rtf1\ansi\ansicpg1251\uc1\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1049\deflangfe1049{\fonttbl{\f0\froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}..{\f1\fswiss\fcharset204\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fmodern\fcharset204\fprq1{\*\panose 02070309020205020404}Courier New;}{\f3\froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}..{\f10\fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings;}{\f37\fswiss\fcharset204\fprq2{\*\panose 020f0502020204030204}Calibri;}{\f211\froman\fcharset0\fprq2 Times New Roman{\*\falt Times New Roman};}..{\f209\froman\fcharset238\fprq2 Times New Roman CE{\*\falt Times New Roman};}{\f212\froman\fcharset161\fprq2 Times New Roman Greek{\*\falt Times New Roman};}{\f213\froman\fcharset162\fprq2 Times New Roman Tur{\*\falt Times New Roman};}..{\f214\froman\fcharset177\fprq2 Times New Roman (Hebrew){\*\falt Times New Roman};}{\f215\froman\fcharset178\fprq2 Time

                                                                                C:\Program Files (x86)\LiteManager Pro - Server\English.lg

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):89220
                                                                                Entropy (8bit):3.469297258214741
                                                                                Encrypted:false
                                                                                SSDEEP:768:YvozCzKUNNfMnuQhgdXT0Z2BPshK+4aCWpQJ3OEInKDcbztlXnpQbbMv3PI:Yvoz4TXTI2pQCWOJvgXnpQbS3PI
                                                                                MD5:B1C96EF24061BF294CAC6C4C9CBF7757
                                                                                SHA1:5D1B1934091E257B5F1C69B13F5FC1E424348584
                                                                                SHA-256:20DB884523DA62C20F80B8A3BB71E11091B90A443B83C06D8FE2A1BBC00C1C33
                                                                                SHA-512:6E90562FD804F91DDADEF2310551063D34B859FF1CC6E58A41667E9CDA062DCA851C8455882EF47CF3E1A8EC21EBD9F0761F15E54174CC4A95427238CB39BA14
                                                                                Malicious:false
                                                                                Preview:..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.3.3.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .Q.u.e.s.t.i.o.n.....e.r.r.o.r. .=. .E.r.r.o.r.....i.n.f.o.r.m.a.t.i.o.n. .=. .I.n.f.o.r.m.a.t.i.o.n.....n.o.t.i.f.i.c.a.t.i.o.n. .=. .N.o.t.i.f.i.c.a.t.i.o.n.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .C.a.n. .n.o.t. .r.e.a.d. .s.e.r.v.i.c.e. .c.o.n.f.i.g.u.r.a.t.i.o.n...\.n.;.R.e.i.n.s.t.a.l.l. .L.i.t.e.M.a.n.a.g.e.r. .s.e.r.v.i.c.e.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .C.a.n. .n.o.t. .s.e.t. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r. .s.e.r.v.i.c.e. .s.t.a.r.t.u.p. .m.o.d.e.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .C.a.n. .n.o.t. .s.e.t. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r. .s.e.r.v.i.c.e. .s.t.a.r.t.u.p. .m.o.d.e...\.n.;.R.e.b.o.o.t. .s.y.s.t.e.m.,. .p.l.e.a.s.e.......

                                                                                C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):201728
                                                                                Entropy (8bit):6.3607488106285075
                                                                                Encrypted:false
                                                                                SSDEEP:3072:rmqdVRkbN1G3OKtVLqKc3IuQquARCASmShKJ:rmyTmNw3zqKcFLRs
                                                                                MD5:1D4F8CFC7BBF374CCC3AAE6045B2133D
                                                                                SHA1:802EDF0B0ED1D0305BCD6688EE3301366FEC1337
                                                                                SHA-256:C04885562F17BAEEFBCD2D4FC29F054EB8A66C44BD015750498C69A912D94C1F
                                                                                SHA-512:68643A30FEA87B2B61AF546F42BF32A25459152C1BCCE5A8A881714139CE828DFE4237874FF1E9CC3B78D6CDBEF7DD45C9F3459C3337D83693C704C274AFFF3E
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Joe Sandbox View:
                                                                                • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                                • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                                • Filename: gBYz86HSwI.msi, Detection: malicious, Browse
                                                                                • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                                • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                                • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...|..[.................\...........v............@.................................................................. ...................@...................@...G..................................................$................................text....S.......T.................. ..`.itext..D....p.......X.............. ..`.data...<............`..............@....bss....<Y...............................idata...............z..............@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc...G...@...H..................@..B.rsrc....@.......@..................@..@....................................@..@........................................................

                                                                                C:\Program Files (x86)\LiteManager Pro - Server\Lang\Taiwan.lg

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):61034
                                                                                Entropy (8bit):4.429529654892776
                                                                                Encrypted:false
                                                                                SSDEEP:768:nebbtdP4XFsh6HWiIZTYp7JtMLG54ttg2kGPyWtvQTznCKDMlV2f:ne3KOhTTocL8HnMlV2f
                                                                                MD5:7303B5AE0B8911CEB238DC01419695BE
                                                                                SHA1:22B89BDB8FAEC62BA3E66639E38E6271B593944A
                                                                                SHA-256:88155FB3F0E198AA4A24F9CFECBB83C5A4E081C6EA362BC50294410CB2FB5C50
                                                                                SHA-512:8AE802616AF60BAF214E254F6A55D312DC46B6E3F8BEE5F50E30E372FF38103776278B5FB07A562C2149EEA58107CB427A03B1629F72044AB69D3507E5DFAB15
                                                                                Malicious:false
                                                                                Preview:[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.2.8.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .OUL.....e.r.r.o.r. .=. ./.......i.n.f.o.r.m.a.t.i.o.n. .=. ........n.o.t.i.f.i.c.a.t.i.o.n. .=. ....w....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .!q.l...S.g.RD}Ka.0\.n.;...e.[. .L.i.t.e.M.a.n.a.g.e.r. ..g.R?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .!q.l-..[ .L.i.t.e.M.a.n.a.g.e.r. .:O.ghV.g.R_U.R!j._.0....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .!q.l-..[ .L.i.t.e.M.a.n.a.g.e.r. .:O.ghV.g.R_U.R!j._.0\.n.;....e.._j.|q}.0....f.m._.s.e.t.t.i.n.g.s._.r.e.s.t.a.r.t._.s.e.r.v.i.c.e._.t.o._.a.p.p.l.y. .=. ....e_U.R .L.M. .:O.ghV.a(u.z._.NWY(u...f.0....f.m._.s.e.c.u.r.i.t.y._.f.o.r.c.e._.g.u.e.s.t. .=. .7_6R.O.(Wdk.|q}.N-..[.....asTW.@b.g.}..O(u.....S.g.O.X[.S.kP..0 .!q.l.O(u.07_

                                                                                C:\Program Files (x86)\LiteManager Pro - Server\Lang\Turkish.lg

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):58794
                                                                                Entropy (8bit):3.642324420313977
                                                                                Encrypted:false
                                                                                SSDEEP:768:D+XPobz4qFlRiiXc0HwgHSSxnrKT7nke7GShFBy/x97fuTLY57aC7I/Fj:yPQMw1ZOT7kef1y/X7fuTq4j
                                                                                MD5:606DC375E898D7221CCB7CEB8F7C686B
                                                                                SHA1:26DCF93876C89283623B8150C1B79EDB24B6A7EC
                                                                                SHA-256:F442E440580EA35040E35BF1D85A118E7C182FDE0B9BA2A3C1816DEAB5F822BB
                                                                                SHA-512:9FBC42165B51A2020D2DA2FFE33287A4F3AA33639126813B290D329D47C4F4DA8F297A47AF3C1F63AF6F9E1BA47ACE840BC1660D603E17589E5DB6DDA0E1E5B1
                                                                                Malicious:false
                                                                                Preview:..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.5.5.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .S.o.r.u.....e.r.r.o.r. .=. .H.a.t.a.....i.n.f.o.r.m.a.t.i.o.n. .=. .B.i.l.g.i.....n.o.t.i.f.i.c.a.t.i.o.n. .=. .B.i.l.d.i.r.i.m.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .H.i.z.m.e.t. .y.a.p.1.l.a.n.d.1.r.m.a.s.1. .o.k.u.n.a.m.1.y.o.r...\.n.;.L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t.i.n.i. .y.e.n.i.d.e.n. .y...k.l.e.m.e.k. .m.i. .i.s.t.i.y.o.r.s.u.n.u.z.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t. .b.a._.l.a.n.g.1... .m.o.d.u.n.u. .a.y.a.r.l.a.y.a.m.1.y.o.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t. .b.a._.l.a.n.g.1... .m.o.d.u.n.u. .a.y.a.r.l.a.y.a.m.1.y.o.r...\.n.;.S.i.s.t.e.m.i. .y.e.n.i.d.e.n. .b.a._.l.

                                                                                C:\Program Files (x86)\LiteManager Pro - Server\Lang\Ukrainian.lg

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:Unicode text, UTF-16, little-endian text, with very long lines (305), with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):87912
                                                                                Entropy (8bit):4.303374267443204
                                                                                Encrypted:false
                                                                                SSDEEP:768:VUlHxa/yEOYEJNHWjlUu1pZ26ER2nkUTbfk74Q:aNxWREb4lUu1P29R2JbfC4Q
                                                                                MD5:3FC082E8F516EAD9FC26AC01E737F9EF
                                                                                SHA1:3B67EBCE4400DDCF6B228E5668F3008561FB8F21
                                                                                SHA-256:3DC0CEAE11F445B57B17B7C35A90B5133E313CF6B61550AB418252C5B8089C99
                                                                                SHA-512:9A9D20AF2F8C27056F58AB5A9C687F5124CE5F6D563E396C9558331FB8BE48E88E148B1FDC548A5EBDEDB451E3D89F2F96856F3BBFD695691D5687599F376421
                                                                                Malicious:false
                                                                                Preview:..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d. .=. .1.0.5.8.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...r.u./.....q.u.e.s.t.i.o.n. .=. ...8.B.0.=.=.O.....e.r.r.o.r. .=. ...>.<.8.;.:.0.....i.n.f.o.r.m.a.t.i.o.n. .=. ...=.D.>.@.<.0.F.V.O.....n.o.t.i.f.i.c.a.t.i.o.n. .=. ...>.2.V.4.>.<.;.5.=.=.O.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. ...5.<.>.6.;.8.2.>. .?.@.>.G.8.B.0.B.8. .:.>.=.D.V.3.C.@.0.F.V.N. .A.;.C.6.1.8...\.n.;...5.@.5.2.A.B.0.=.>.2.8.B.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. ...5.<.>.6.;.8.2.>. .2.A.B.0.=.>.2.8.B.8. .@.5.6.8.<. .7.0.?.C.A.:.C. .A.;.C.6.1.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. ...5.<.>.6.;.8.2.>. .2.A.B.0.=.>.2.8.B.8. .@.5.6.8.<. .7.0.?.C.A.:.C. .A.;.C.6.1.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.

                                                                                C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):6307408
                                                                                Entropy (8bit):6.5944937257467116
                                                                                Encrypted:false
                                                                                SSDEEP:98304:NwiA/GmKEt3LQ7V8z3uHWkd49GMdqOxaB:NOGmKEt31kd2dqwaB
                                                                                MD5:63D0964168B927D00064AA684E79A300
                                                                                SHA1:B4B9B0E3D92E8A3CBE0A95221B5512DED14EFB64
                                                                                SHA-256:33D1A34FEC88CE59BEB756F5A274FF451CAF171A755AAE12B047E678929E8023
                                                                                SHA-512:894D8A25E9DB3165E0DAAE521F36BBD6F9575D4F46A2597D13DEC8612705634EFEA636A3C4165BA1F7CA3CDC4DC7D4542D0EA9987DE10D2BC5A6ED9D6E05AECB
                                                                                Malicious:false
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f..................C..F........C.......C...@.......................... i.......`..........@................... N.......M..A...@T...............`.P"...PN.<............................@N.......................M.......N......................text.....C.......C................. ..`.itext...0....C..2....C............. ..`.data... 3....C..4....C.............@....bss........0E..........................idata...A....M..B....E.............@....didata.......N......LE.............@....edata....... N......ZE.............@..@.tls....X....0N..........................rdata..]....@N......\E.............@..@.reloc..<....PN......^E.............@..B.rsrc........@T......DK.............@..@............. i.......`.............@..@................

                                                                                C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):7753808
                                                                                Entropy (8bit):6.615075046955521
                                                                                Encrypted:false
                                                                                SSDEEP:98304:D4/WZQ7lc63BJGS1VFeIEll251o7+YcMBk2VVyN/RTfCAFIqOx9N:DXQ7SIEXeMBk2V4N/Nq2Iqw9N
                                                                                MD5:F3D74B072B9697CF64B0B8445FDC8128
                                                                                SHA1:8408DA5AF9F257D12A8B8C93914614E9E725F54C
                                                                                SHA-256:70186F0710D1402371CE2E6194B03D8A153443CEA5DDB9FC57E7433CCE96AE02
                                                                                SHA-512:004054EF8CDB9E2FEFC3B7783574BFF57D6D5BF9A4624AD88CB7ECCAE29D4DFD2240A0DC60A14480E6722657132082332A3EC3A7C49D37437644A31E59F551AF
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 8%
                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...w#.f.................ZU... ......qU.......U...@.......................... ........v..........@...................._......`_..K....g.. ............v.P"...._.4............................._..................... m_.|....._......................text....&U......(U................. ..`.itext..$1...@U..2...,U............. ..`.data....@....U..B...^U.............@....bss....0.....V..........................idata...K...`_..L....V.............@....didata......._.......V.............@....edata........_.......V.............@..@.tls....`....._..........................rdata..]....._.......V.............@..@.reloc..4....._.......V.............@..B.rsrc.... ....g.. ....^.............@..@............. ........v.............@..@................

                                                                                C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):999944
                                                                                Entropy (8bit):6.626732213066839
                                                                                Encrypted:false
                                                                                SSDEEP:12288:SA9+TVJdg0YMgqAahyv0jKdTq4lrBhqSq/rt8VwGFrt:SRho0lgqA6yvnrBhq/rQDt
                                                                                MD5:ED32E23322D816C3FE2FC3D05972689E
                                                                                SHA1:5EEA702C9F2AC0A1AADAE25B09E7983DA8C82344
                                                                                SHA-256:7F33398B98E225F56CD287060BEFF6773ABB92404AFC21436B0A20124919FE05
                                                                                SHA-512:E505265DD9D88B3199EB0D4B7D8B81B2F4577FABD4271B3C286366F3C1A58479B4DC40CCB8F0045C7CD08FD8BF198029345EEF9D2D2407306B73E5957AD59EDF
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...`.-\.................J...........X.......`....@.................................................................. ...................@...........0.......@.. O...................................................................................text...0?.......@.................. ..`.itext..8....P.......D.............. ..`.data....:...`...<...N..............@....bss.....]...............................idata..............................@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc.. O...@...P..................@..B.rsrc....@.......@..................@..@.....................0..............@..@........................................................

                                                                                C:\Program Files (x86)\LiteManager Pro - Server\Russian.lg

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):94772
                                                                                Entropy (8bit):4.284840986247552
                                                                                Encrypted:false
                                                                                SSDEEP:768:r1kyTyZFOTb6QeZGJXYbFAMrKARuZk7FRwZoFTa2n:rn+2iZGhYbK4KARpAoFTa2n
                                                                                MD5:0E204FABE68B4B65ED5E0834651FB732
                                                                                SHA1:B338A6E54AA18F3F8A573580520F16C74A51F3D2
                                                                                SHA-256:302373D81F0AE15589206420CB01A266804C9FD1C1FF0D6E09CE6BA3FEF92B64
                                                                                SHA-512:AAD76F6A76DC693D959389CE471BC585D0DA72737FED99F42F219FDC7C71617C00E8003A467092E12820A359D672C6FB80D99772F3F6433923B2ABB7EEA40F08
                                                                                Malicious:false
                                                                                Preview:..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.4.9.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...r.u./.....q.u.e.s.t.i.o.n. .=. ...>.?.@.>.A.....e.r.r.o.r. .=. ...H.8.1.:.0.....i.n.f.o.r.m.a.t.i.o.n. .=. ...=.D.>.@.<.0.F.8.O.....n.o.t.i.f.i.c.a.t.i.o.n. .=. ...?.>.2.5.I.5.=.8.5.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. ...5.2.>.7.<.>.6.=.>. .?.@.>.G.8.B.0.B.L. .:.>.=.D.8.3.C.@.0.F.8.N. .A.;.C.6.1.K...\.n.;...5.@.5.C.A.B.0.=.>.2.8.B.L. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. ...5.2.>.7.<.>.6.=.>. .C.A.B.0.=.>.2.8.B.L. .@.5.6.8.<. .7.0.?.C.A.:.0. .A.;.C.6.1.K. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. ...5.2.>.7.<.>.6.=.>. .C.A.B.0.=.>.2.8.B.L. .@.5.6.8.<. .7.0.?.C.A.:.0. .A.;.C.6.1.K. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r...\.n.

                                                                                C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):7752272
                                                                                Entropy (8bit):6.615186281886958
                                                                                Encrypted:false
                                                                                SSDEEP:98304:y4/WZQ7lc63BJGS1VFeIEll251o7+YcMBk2VVyN/RTfCEFIqOxJn:yXQ7SIEXeMBk2V4N/NqiIqwJn
                                                                                MD5:84FB34E529BEDE393A3F604EAA8137B2
                                                                                SHA1:195EA03B7BD086454A13C0D8357E0A9E447D9EC9
                                                                                SHA-256:1E396C4066AC8F421A54893442A0D76C4F8D4146E63825D67DFC0DA782E73EE5
                                                                                SHA-512:A48A80D62E588667B4C891CDED279BABFFA5FB4FDF092F345212F81D29A9ACAA06E6DB27B49DC601909409A3C82AA9272BCDF90D0AE1738E83E80D9FCA4D93E6
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.................ZU... ......qU.......U...@.......................... ........v..........@...................._......`_..K....g..............(v.P"...._.4............................._..................... m_.|....._......................text....&U......(U................. ..`.itext..$1...@U..2...,U............. ..`.data....@....U..B...^U.............@....bss....0.....V..........................idata...K...`_..L....V.............@....didata......._.......V.............@....edata........_.......V.............@..@.tls....`....._..........................rdata..]....._.......V.............@..@.reloc..4....._.......V.............@..B.rsrc.........g.......^.............@..@............. .......(v.............@..@................

                                                                                C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):11361360
                                                                                Entropy (8bit):6.496049600782297
                                                                                Encrypted:false
                                                                                SSDEEP:98304:AshiRp5hPI7N9sSA5wbZXJOu/0uOXZYfmQYanSjS+cWuNOlQpgfYLyPsd+QgBBP5:Al5hPwgvyAjDjS+igfgym+bHJxmK
                                                                                MD5:B0E355EC3453C8FFAEE08CD4257E96F2
                                                                                SHA1:0FA023CA8F1C1ECDADDE3DD3BD551870C2D965E2
                                                                                SHA-256:60248BA026064B116E4F94020DABB74DF519F5B4C41379CA19A38D725692CA8E
                                                                                SHA-512:B6004F83FD78EED84BF21611EFA45F2FFADF3625E0A2FDCDAE531B4734A4B886EBFE5EBE990DA42302B7368282D83DFFEF19E71DA8EC4C155EE5C8619AD028DD
                                                                                Malicious:false
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe, Author: Joe Security
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f..................v..67.......v...... v...@..........................0...................@...................p...........L...p....+..........:..P"...................................................................`.......................text.....u.......u................. ..`.itext...6....u..8....u............. ..`.data....R... v..T....v.............@....bss.........w..........................idata...L.......N...Xw.............@....didata......`........w.............@....edata.......p........w.............@..@.tls....`................................rdata..].............w.............@..@.reloc................w.............@..B.rsrc.....+..p....+.................@..@.............0.......:..............@..@................

                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):1310720
                                                                                Entropy (8bit):1.3073755891648744
                                                                                Encrypted:false
                                                                                SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrX:KooCEYhgYEL0In
                                                                                MD5:71830F913302C2DB09092A5913F94F6C
                                                                                SHA1:F7A159462F701FE20E1BC586C4CD3899D5CD9013
                                                                                SHA-256:BA23DD41D289D48761ACA03E12A2517D32615CEF0AB9F6C2CFFB73885DEB91A6
                                                                                SHA-512:D39D845F051D6C13FFB6400C81C94B69D8ACA6A0D2EA8812391FEA7C9A608260FB857F772869C5313380EFEBC3DA21AB1A7A7CD79103BCF57B6D8EE69A9EB99B
                                                                                Malicious:false
                                                                                Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x87827848, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                Category:dropped
                                                                                Size (bytes):1310720
                                                                                Entropy (8bit):0.422196023988347
                                                                                Encrypted:false
                                                                                SSDEEP:1536:ZSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Zaza/vMUM2Uvz7DO
                                                                                MD5:B7D11B4DDF7186F1361CBEAE1A42EBED
                                                                                SHA1:0CF7128209AB98B36B4BDD4698A45F2AE88578B5
                                                                                SHA-256:611587943F427AEC695778C94987F8A6B4829C5D874CFA5BE04600DFEF54B582
                                                                                SHA-512:09594A202B10C80BB7BD40F3D8697D9897A1ADCC11DEECE5F6A4853EA56F55421B2BFD3EE1E7484D0DB7688CB56548FEF4EEDD4B5250F342386D9BF594A13D49
                                                                                Malicious:false
                                                                                Preview:..xH... .......A.......X\...;...{......................0.!..........{A.%....|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................Z.Y.&....|u.....................%....|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):16384
                                                                                Entropy (8bit):0.07710859733589415
                                                                                Encrypted:false
                                                                                SSDEEP:3:0lll/KYe3q/jjn13a/Sr1UKallcVO/lnlZMxZNQl:Ul/Kz3q/j53qSr2bOewk
                                                                                MD5:D3930364474B1BE900A9F2F3D0CA5DD4
                                                                                SHA1:022BEFA8CBD776B5F00153205B01F900320465F4
                                                                                SHA-256:04ADFD8AEC2CBE281E0EDF4102A9A94AB297694474E93651FDE434AB9B8E2053
                                                                                SHA-512:7CC597C663BA39A34B95E5B7542001FB86B5E93214018079C7F786BED0FD2F64D88FDDDAC3FEAD3DEC15A94FA4B8808691CBAB8043BAD7FF61D30ABAFA4C99E0
                                                                                Malicious:false
                                                                                Preview:.........................................;...{..%....|.......{A..............{A......{A..........{A]....................%....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Settings for LM-Server.lnk

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 18:41:10 2024, mtime=Wed Dec 25 15:14:42 2024, atime=Thu Aug 22 18:41:10 2024, length=7753808, window=hide
                                                                                Category:dropped
                                                                                Size (bytes):2167
                                                                                Entropy (8bit):3.925761772599664
                                                                                Encrypted:false
                                                                                SSDEEP:48:8H2hbdcdOUjEvA8Zd5Y+d5YsP5qoZkmrSUp8JWqoZkmtU:8HhjEa9O5qoZbcJWqoZbt
                                                                                MD5:488734A3F3B9256252191EAD105E1F43
                                                                                SHA1:EA6EF01D2129ED8C365749F3B0AC21BFCEB293D0
                                                                                SHA-256:E16AB58F1A94104645F45E4EA17F485DB8D533C0A48B1B4B5C204D263F9867FD
                                                                                SHA-512:52393E836ECBFDEABD817A3B96DA115BC819CCC29C88CDC5B02095A1F542EA9AC29330827C8B8F51BA106E0B9C6279711D1770D819303A905A6A51600334F0B3
                                                                                Malicious:false
                                                                                Preview:L..................F.@.. ......=.........V.....=....PPv..........................P.O. .:i.....+00.../C:\.....................1......Y...PROGRA~2.........O.I.Y.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1......Y...LITEMA~1..b......Y..Y....."......................f..L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.....h.2.PPv..Y%. .ROMSER~1.EXE..L.......Y%..Y...............................R.O.M.S.e.r.v.e.r...e.x.e.......l...............-.......k.............A&.....C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe..L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.c.o.n.f.i.g.n.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\

                                                                                C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Start LM-Server.lnk

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
                                                                                Category:dropped
                                                                                Size (bytes):1890
                                                                                Entropy (8bit):3.1573107695942624
                                                                                Encrypted:false
                                                                                SSDEEP:48:8ddOEPLqd5Y+d5YcCP5q2DT2S0Wq2DTKX7:85LJ9cM5qUoWqUE
                                                                                MD5:5FC67E19699B3F0B2AB7B4B89B0B3F1A
                                                                                SHA1:6F6380DF2EB8C5D30452A846864F001A8B0E473A
                                                                                SHA-256:45451F933B472FA53301D46B7C072AF67E51EC60172E6E9C01E0B308DF78A2F4
                                                                                SHA-512:81C7A9F5683DB54893BD26A6EC1BCBDB17983037668CD996E03934E7708331594195DBF2CCE9EB2B0C0567A9E8B24DD629D40866D49E55C9DF77A864D15744E5
                                                                                Malicious:false
                                                                                Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)..."...1...........LiteManager Pro - Server..b............................................L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r...(.h.2...........ROMServer.exe.L............................................R.O.M.S.e.r.v.e.r...e.x.e.......L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.s.t.a.r.t.n.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.R.O.M.S.e.r.v.e.r...e.x.e._.9.D.0.9.B.2.B.C.2.5.A.2.4.1.4.C.B.D.8.4.8.E.2.B.7.5.8.9.8.6.7.6...e.x.e.........%SystemRoot%\In

                                                                                C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Stop LM-Server.lnk

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 18:41:10 2024, mtime=Wed Dec 25 15:14:42 2024, atime=Thu Aug 22 18:41:10 2024, length=7753808, window=hide
                                                                                Category:dropped
                                                                                Size (bytes):2159
                                                                                Entropy (8bit):3.912902825693082
                                                                                Encrypted:false
                                                                                SSDEEP:48:8r2hbdcdOXtMxA8Zd5Y+d5Ys5qcxFWT84SslWqcxFWT8cU:8r6m09s5qcxYT8SWqcxYT8c
                                                                                MD5:D6AA259CEC95A50CD6FE93C763B64AE0
                                                                                SHA1:A59F0E4A74E1271F1E2992B1CB67C82347B2C566
                                                                                SHA-256:DA0C589CDFB183F7B0B76BC1AE52CF9C71CF0251D3CE97BC93EF5FF4DAB560F9
                                                                                SHA-512:10EA4C233BF080772A0F78C371DD55C4E152C3EA7B90D378F85E278BF3C2199517BA7EB16E7B994EDFAE5F4554D67D5ABE715F1F57D91A2A818647C3D377A4E2
                                                                                Malicious:false
                                                                                Preview:L..................F.@.. ......=....D....V.....=....PPv..........................P.O. .:i.....+00.../C:\.....................1......Y...PROGRA~2.........O.I.Y.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1......Y...LITEMA~1..b......Y..Y.....".......................#.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.....h.2.PPv..Y%. .ROMSER~1.EXE..L.......Y%..Y...............................R.O.M.S.e.r.v.e.r...e.x.e.......l...............-.......k.............A&.....C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe..L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.s.t.o.p.l.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.s.t

                                                                                C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Uninstall LiteManager - Server.lnk

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Sat Dec 7 08:10:02 2019, mtime=Wed Oct 4 09:56:56 2023, atime=Sat Dec 7 08:10:02 2019, length=59904, window=hide
                                                                                Category:dropped
                                                                                Size (bytes):1953
                                                                                Entropy (8bit):3.877241331767932
                                                                                Encrypted:false
                                                                                SSDEEP:24:8WnJ+Ds3lBbTAaPwB+sHyjv/+MTyjvejIKZDUHwGS7ke4WTyjvejIKZDUHwwcnIL:8WnuiBb0FHOn5qmjlt6ScWqmjltZV
                                                                                MD5:9DB1346A93911F4C088C5D1F88847228
                                                                                SHA1:10E961AB4D2BDD742A68AE00F64B471ABB52D92F
                                                                                SHA-256:648BA39BA79CC5BB5B357B62703E56FD3D82E4859516C93EDDBF2177D2E857D1
                                                                                SHA-512:9927E257A3B97D0CCF3FF7E562A618237B858CB7522FC382857EA4F4C81A380569B8B7F70202B4350F0B72C8B3AC5E619CEAC400FFF6036AEDF3D264BBBA3AE4
                                                                                Malicious:false
                                                                                Preview:L..................F.@.. ...25.....1>.~....25.............................A....P.O. .:i.....+00.../C:\...................V.1.....DWP`..Windows.@......OwH.Y.....3.....................z.i.W.i.n.d.o.w.s.....Z.1......Y...SysWOW64..B......O.I.Y.....Y.......................K.S.y.s.W.O.W.6.4.....b.2......OBI .msiexec.exe.H......OBIDW.V................|.............m.s.i.e.x.e.c...e.x.e.......N...............-.......M.............A&.....C:\Windows\SysWOW64\msiexec.exe........\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e.)./.x. .{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.s.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.U.N.I.N.S.T._.U.n.i.n.s.t.a.l.l._.L._.7.8.A.A.5.B.6.6.6.2.5.1.4.D.9.4.A.8.4.7.D.6.C.6.0.3.A.F.0.8.9.5...e.x.e.........%SystemRoot%\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C6

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):292
                                                                                Entropy (8bit):5.2510377978189355
                                                                                Encrypted:false
                                                                                SSDEEP:6:F+JdS3cM+q2Pwkn2nKuAl9OmbnIFUt8K+mJZmw+K+iMw3cMVkwOwkn2nKuAl9Omt:MJWcM+vYfHAahFUt8/mJ/+/g3cMV5JfC
                                                                                MD5:76DFBDFEAD41FB27C81866E5FC42E4E2
                                                                                SHA1:459DA43C3BE6F88FE28B784BA4C41C7C83EE159D
                                                                                SHA-256:A19E53EF5BA2B2AE78C2E65ACED2A23936E50BC2998DC18F0F1E259EE51CB51C
                                                                                SHA-512:D200694261A69ECF56CC4981338E29A6F81962D8CCFFB572B8F46224B8F739730957999EC0E6AC33D541DF265F8ADB60945F694B75EE7B6C9D1D214C6A816436
                                                                                Malicious:false
                                                                                Preview:2024/12/25-11:14:36.517 1f8c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/25-11:14:36.519 1f8c Recovering log #3.2024/12/25-11:14:36.520 1f8c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):292
                                                                                Entropy (8bit):5.2510377978189355
                                                                                Encrypted:false
                                                                                SSDEEP:6:F+JdS3cM+q2Pwkn2nKuAl9OmbnIFUt8K+mJZmw+K+iMw3cMVkwOwkn2nKuAl9Omt:MJWcM+vYfHAahFUt8/mJ/+/g3cMV5JfC
                                                                                MD5:76DFBDFEAD41FB27C81866E5FC42E4E2
                                                                                SHA1:459DA43C3BE6F88FE28B784BA4C41C7C83EE159D
                                                                                SHA-256:A19E53EF5BA2B2AE78C2E65ACED2A23936E50BC2998DC18F0F1E259EE51CB51C
                                                                                SHA-512:D200694261A69ECF56CC4981338E29A6F81962D8CCFFB572B8F46224B8F739730957999EC0E6AC33D541DF265F8ADB60945F694B75EE7B6C9D1D214C6A816436
                                                                                Malicious:false
                                                                                Preview:2024/12/25-11:14:36.517 1f8c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/25-11:14:36.519 1f8c Recovering log #3.2024/12/25-11:14:36.520 1f8c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):333
                                                                                Entropy (8bit):5.201834281159893
                                                                                Encrypted:false
                                                                                SSDEEP:6:F+oQq2Pwkn2nKuAl9Ombzo2jMGIFUt8K+owZmw+K+oFkwOwkn2nKuAl9Ombzo2jz:MoQvYfHAa8uFUt8/ow/+/oF5JfHAa8RJ
                                                                                MD5:A5074AFE11AF599A53D87E77C350A7D7
                                                                                SHA1:3A8929570D7924B5A12A9D182F74FCF603CFCA7F
                                                                                SHA-256:8D522C840B839E9248DFA5109A20E8DA80D3ACC144D4CAFC7284C89FFEFEB79A
                                                                                SHA-512:735E928A88E5D3336DC6C5DBE4265148321E522FF9D1141FBEBE7DB8F7F83752FAB0CA1156F22F42507DFFBFE3D985AA340AABDE4A4FBA1FE95C62469A3E0F3C
                                                                                Malicious:false
                                                                                Preview:2024/12/25-11:14:36.580 d04 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/25-11:14:36.581 d04 Recovering log #3.2024/12/25-11:14:36.582 d04 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):333
                                                                                Entropy (8bit):5.201834281159893
                                                                                Encrypted:false
                                                                                SSDEEP:6:F+oQq2Pwkn2nKuAl9Ombzo2jMGIFUt8K+owZmw+K+oFkwOwkn2nKuAl9Ombzo2jz:MoQvYfHAa8uFUt8/ow/+/oF5JfHAa8RJ
                                                                                MD5:A5074AFE11AF599A53D87E77C350A7D7
                                                                                SHA1:3A8929570D7924B5A12A9D182F74FCF603CFCA7F
                                                                                SHA-256:8D522C840B839E9248DFA5109A20E8DA80D3ACC144D4CAFC7284C89FFEFEB79A
                                                                                SHA-512:735E928A88E5D3336DC6C5DBE4265148321E522FF9D1141FBEBE7DB8F7F83752FAB0CA1156F22F42507DFFBFE3D985AA340AABDE4A4FBA1FE95C62469A3E0F3C
                                                                                Malicious:false
                                                                                Preview:2024/12/25-11:14:36.580 d04 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/25-11:14:36.581 d04 Recovering log #3.2024/12/25-11:14:36.582 d04 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\0fe15e5b-3651-46cf-9556-d1f73fb4796a.tmp

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:JSON data
                                                                                Category:modified
                                                                                Size (bytes):475
                                                                                Entropy (8bit):4.97540442432775
                                                                                Encrypted:false
                                                                                SSDEEP:12:YH/um3RA8squsBdOg2HHAAcaq3QYiubInP7E4TX:Y2sRdsmdMHHg3QYhbG7n7
                                                                                MD5:DB68BDC532BE871C485FE5625F8D72E2
                                                                                SHA1:4F5523EF139BD6CEB51B4A8C49571272971E8D2C
                                                                                SHA-256:254389855F88B73E951D6A3BD16224C83B55FF703AD95EE6E2054640CA7C167A
                                                                                SHA-512:C65870888BADFFCE531E50F328DC9E352420ABBF9E98425131E4F06F9EE9F5BBD24FFA61E4BFAD66BF0418FF633D291F95633A415053809AD1C241C3FA1A0504
                                                                                Malicious:false
                                                                                Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379703284908020","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":684151},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\60d3fbaf-400c-4d13-a42e-76aff343a0ee.tmp

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):475
                                                                                Entropy (8bit):4.967403857886107
                                                                                Encrypted:false
                                                                                SSDEEP:12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
                                                                                MD5:B7761633048D74E3C02F61AD04E00147
                                                                                SHA1:72A2D446DF757BAEA2C7A58C050925976E4C9372
                                                                                SHA-256:1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
                                                                                SHA-512:397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
                                                                                Malicious:false
                                                                                Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):475
                                                                                Entropy (8bit):4.967403857886107
                                                                                Encrypted:false
                                                                                SSDEEP:12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
                                                                                MD5:B7761633048D74E3C02F61AD04E00147
                                                                                SHA1:72A2D446DF757BAEA2C7A58C050925976E4C9372
                                                                                SHA-256:1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
                                                                                SHA-512:397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
                                                                                Malicious:false
                                                                                Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF564738.TMP (copy)

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):475
                                                                                Entropy (8bit):4.967403857886107
                                                                                Encrypted:false
                                                                                SSDEEP:12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
                                                                                MD5:B7761633048D74E3C02F61AD04E00147
                                                                                SHA1:72A2D446DF757BAEA2C7A58C050925976E4C9372
                                                                                SHA-256:1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
                                                                                SHA-512:397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
                                                                                Malicious:false
                                                                                Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):4320
                                                                                Entropy (8bit):5.251333704953413
                                                                                Encrypted:false
                                                                                SSDEEP:96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo7p7s:etJCV4FiN/jTN/2r8Mta02fEhgO73goW
                                                                                MD5:9409F0548ECFB5D821AC3993FBA23E22
                                                                                SHA1:4A0826B1B4453C98F2F496464A4EEB20176B27FF
                                                                                SHA-256:24F93600E4F385E01D4AFFE4835A4C778F3251015B1CF5841AACDB0E148A4981
                                                                                SHA-512:5EFB45FFF68A4571F1E5325D2F19880440DB92D9C083E6388C4B63C9FA6C8EA9B2DAED72D199722FBAEF33915EB372DF605A4958A87D11A39E095CBA4571B858
                                                                                Malicious:false
                                                                                Preview:*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):321
                                                                                Entropy (8bit):5.226539446058056
                                                                                Encrypted:false
                                                                                SSDEEP:6:F+A4q2Pwkn2nKuAl9OmbzNMxIFUt8K+5pZmw+K+TtFkwOwkn2nKuAl9OmbzNMFLJ:MA4vYfHAa8jFUt8/z/+/TtF5JfHAa84J
                                                                                MD5:43FE4BFD0A5D9CA08FF8DFC41F0DA353
                                                                                SHA1:6748CA878A832B60C045359EBFE2B7B1C456B6DD
                                                                                SHA-256:822B8514FCD1FB8368165F75B2F8C38A5D46109EC8DBCB7BA612F25AC4716B8E
                                                                                SHA-512:4A8CB4BC7A00B929E71EA8ED5FD7329C0FC9C748B78A5DCDDB8992C344D3910617531458C77F95F1A01A54645693D0419CB3817FD02B42FAD5BDA4624213EC7A
                                                                                Malicious:false
                                                                                Preview:2024/12/25-11:14:36.768 d04 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/25-11:14:36.770 d04 Recovering log #3.2024/12/25-11:14:36.772 d04 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):321
                                                                                Entropy (8bit):5.226539446058056
                                                                                Encrypted:false
                                                                                SSDEEP:6:F+A4q2Pwkn2nKuAl9OmbzNMxIFUt8K+5pZmw+K+TtFkwOwkn2nKuAl9OmbzNMFLJ:MA4vYfHAa8jFUt8/z/+/TtF5JfHAa84J
                                                                                MD5:43FE4BFD0A5D9CA08FF8DFC41F0DA353
                                                                                SHA1:6748CA878A832B60C045359EBFE2B7B1C456B6DD
                                                                                SHA-256:822B8514FCD1FB8368165F75B2F8C38A5D46109EC8DBCB7BA612F25AC4716B8E
                                                                                SHA-512:4A8CB4BC7A00B929E71EA8ED5FD7329C0FC9C748B78A5DCDDB8992C344D3910617531458C77F95F1A01A54645693D0419CB3817FD02B42FAD5BDA4624213EC7A
                                                                                Malicious:false
                                                                                Preview:2024/12/25-11:14:36.768 d04 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/25-11:14:36.770 d04 Recovering log #3.2024/12/25-11:14:36.772 d04 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
                                                                                Category:dropped
                                                                                Size (bytes):86016
                                                                                Entropy (8bit):4.4452931025648725
                                                                                Encrypted:false
                                                                                SSDEEP:384:yezci5tYiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:r/s3OazzU89UTTgUL
                                                                                MD5:73BFE3056E3214C37F3CA39861DC41EE
                                                                                SHA1:B68F6EAFAB72A04751698F56DCD1A9670BCCE6CE
                                                                                SHA-256:22783BC48B8017F917734362468403805525594D5534B75D39CB04E9640A6434
                                                                                SHA-512:8A30A67D5E92651386846233673058E3C95A21A5B25977539F4625D1239714CCF37F672EBB7C526CC82E27C62C2AB65612C2EA37A94D7627033F9535E79E2264
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:SQLite Rollback Journal
                                                                                Category:dropped
                                                                                Size (bytes):8720
                                                                                Entropy (8bit):3.7774892429030436
                                                                                Encrypted:false
                                                                                SSDEEP:48:7MGp/E2ioyVxQioy9oWoy1Cwoy1GTKOioy1noy1AYoy1Wioy1hioybioykloy1nN:7FpjuiFpXKQFQb9IVXEBodRBkq
                                                                                MD5:2FF407DBF50B458863C40BC0E4A46DDE
                                                                                SHA1:8DF2FF7294C2D9F9700873E830304490F725FA7A
                                                                                SHA-256:98B742D3C19D8CF5080FD0D0946EB2F0A1943B695DDEC5DCCE32BCAA4BFCBD19
                                                                                SHA-512:64168A8211AF287B22F5C48E3B44E54896002CE0FE79F7C463671E4DF29993F793738FA2561A3232C021DF7C29B6AD0AB46EE51C0A50701571F838E045250106
                                                                                Malicious:false
                                                                                Preview:.... .c........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:Certificate, Version=3
                                                                                Category:dropped
                                                                                Size (bytes):1391
                                                                                Entropy (8bit):7.705940075877404
                                                                                Encrypted:false
                                                                                SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                                MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                                SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                                SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                                SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                                Malicious:false
                                                                                Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                Category:dropped
                                                                                Size (bytes):71954
                                                                                Entropy (8bit):7.996617769952133
                                                                                Encrypted:true
                                                                                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                Malicious:false
                                                                                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):192
                                                                                Entropy (8bit):2.7464849065063075
                                                                                Encrypted:false
                                                                                SSDEEP:3:kkFklkNoNdttfllXlE/HT8kyI/h1NNX8RolJuRdxLlGB9lQRYwpDdt:kK9NQ/eT8MJ7NMa8RdWBwRd
                                                                                MD5:A52BDE16DFC3FDA1DB08983A3BDD3235
                                                                                SHA1:C4BF6F33F5E0DE14CCBD7BC6F8D2507532F8C694
                                                                                SHA-256:A4D58FC0925E481380CF0830BFF6C19C306542116B08AD90F1B12E82AE786C92
                                                                                SHA-512:76BD8FD1340681760384A2FC6867495C6734442B353890FF098240CB8C8B82C99F2B20B98C215D88FFB86D254D3D5B16C600CBB90B649DC725215044BC809B3A
                                                                                Malicious:false
                                                                                Preview:p...... ........Wh...V..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:data
                                                                                Category:modified
                                                                                Size (bytes):328
                                                                                Entropy (8bit):3.1224298822818697
                                                                                Encrypted:false
                                                                                SSDEEP:6:kK5X3/L9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:RnaDnLNkPlE99SNxAhUe/3
                                                                                MD5:7E8DB912B4320C8145ABE6FCE981B3FD
                                                                                SHA1:392B3E7DF7E9731F7B39B3DBDA41476D284B3055
                                                                                SHA-256:473E5E39C1AF8740CB9C6AFFB9268CE258F1776A48419930C7DB2F8333AC88D5
                                                                                SHA-512:8B2999ABF1899A60DCBB4E54F7DD9525CF83BD8A606539261668EB9DA1C7B4C2639C0F2692B92CA4CDF0F156E8FDFF7E35FF326A138899B088EF893D6D4F6255
                                                                                Malicious:false
                                                                                Preview:p...... ........7..1.V..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):295
                                                                                Entropy (8bit):5.372229577935186
                                                                                Encrypted:false
                                                                                SSDEEP:6:YEQXJ2HXyRUL0IiHVoZcg1vRcR0YctDDoAvJM3g98kUwPeUkwRe9:YvXKXyPgZc0vdsGMbLUkee9
                                                                                MD5:F54E9FF0B604F1D07FDA3C4CA5911B0D
                                                                                SHA1:5CAC5F3CF28E054705F6267F42E7FF5FAB035ED4
                                                                                SHA-256:BCC21CCBC9C6E4FCF9DC12FF4FC7D262232139C2257626BAC76CD88296B2A830
                                                                                SHA-512:0EAD348514D03B77FA6353B9DBBBDF675F4A65256A580886A9112183E39D5004FD2491E2335A047D4F4A1D09EB34A493F6A818CC47F99B62B9102820DA5786FD
                                                                                Malicious:false
                                                                                Preview:{"analyticsData":{"responseGUID":"1e3b621f-8987-4404-980e-3335a0c60d4e","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735321997060,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):294
                                                                                Entropy (8bit):5.321550926951569
                                                                                Encrypted:false
                                                                                SSDEEP:6:YEQXJ2HXyRUL0IiHVoZcg1vRcR0YctDDoAvJfBoTfXpnrPeUkwRe9:YvXKXyPgZc0vdsGWTfXcUkee9
                                                                                MD5:363D6D370EE646336DB5ABA793670DF0
                                                                                SHA1:12E31B7045054DC08A3BFF20FB58BDA70E16C56C
                                                                                SHA-256:8BA344BFE553A52945070D9B6C99D8B84AB30FF605C7FF3D55114135B5209D4E
                                                                                SHA-512:4E05C5D0AF3FC7BF945F01D64573845165AC902F9EA7AF4A3BDA842E252BEFB80EB3EB0D5410734DDEABC4D123620A2BAFEBBB477BBF571B62D53C1BA99B7742
                                                                                Malicious:false
                                                                                Preview:{"analyticsData":{"responseGUID":"1e3b621f-8987-4404-980e-3335a0c60d4e","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735321997060,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):294
                                                                                Entropy (8bit):5.300818720866238
                                                                                Encrypted:false
                                                                                SSDEEP:6:YEQXJ2HXyRUL0IiHVoZcg1vRcR0YctDDoAvJfBD2G6UpnrPeUkwRe9:YvXKXyPgZc0vdsGR22cUkee9
                                                                                MD5:3635ACF8D903BF590F65B9519019132B
                                                                                SHA1:16EDABDF64DF20896AC3C4FF7B5C5F441DBB301B
                                                                                SHA-256:13A943E0FA205DD8EB2D31BA53F851E4D2D1794EA4C36A856252B9C0BEAEE995
                                                                                SHA-512:76F5BF974615D5903A67B81B8D71EFCF9FF8518E7381C32909D09040364A1BF271EA3C6106D89A40137B59DC17D602C359BFB7CA5D5ADB68858D1CED80EFD4A4
                                                                                Malicious:false
                                                                                Preview:{"analyticsData":{"responseGUID":"1e3b621f-8987-4404-980e-3335a0c60d4e","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735321997060,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):285
                                                                                Entropy (8bit):5.359551178573081
                                                                                Encrypted:false
                                                                                SSDEEP:6:YEQXJ2HXyRUL0IiHVoZcg1vRcR0YctDDoAvJfPmwrPeUkwRe9:YvXKXyPgZc0vdsGH56Ukee9
                                                                                MD5:1BC4E7CF0FC1A0B79E3D67A98DC07C4F
                                                                                SHA1:A8A6BAB71A0B4A2ACE03A71909082FED6B80C6ED
                                                                                SHA-256:B004804464CF3A55C47B9338E7BA6D93C76E640A4A932CB1CD97EBF32AA42CAD
                                                                                SHA-512:43488FDF998974FF3226F37FBECCD407BC9440A827F690254F72645EC07E9374705A8B5784506EF583139DF9B56BD5ACEE0B20EE4B486E189D23A7BE0B9AF252
                                                                                Malicious:false
                                                                                Preview:{"analyticsData":{"responseGUID":"1e3b621f-8987-4404-980e-3335a0c60d4e","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735321997060,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):1123
                                                                                Entropy (8bit):5.690129059461412
                                                                                Encrypted:false
                                                                                SSDEEP:24:Yv6XegzvHpLgE9cQx8LennAvzBvkn0RCmK8czOCCSrr:Yv4vhgy6SAFv5Ah8cv/v
                                                                                MD5:904EFC9A9847562F053CC2731F7081D7
                                                                                SHA1:D29E905F8472DB00785C2B15EAAA91253B8CDAEE
                                                                                SHA-256:CC304E803ECEE870D6F1079B30DE3831237ABE7445619F7266BF739550CC18D9
                                                                                SHA-512:1D28DC52974864F680A8D043579EFE56FF8A4F62D56E27F8FBA5697D02968765879483F98F5DA219ABE3CF082FE4C4F58AF3B947BD765C1D5C9408E506503BBD
                                                                                Malicious:false
                                                                                Preview:{"analyticsData":{"responseGUID":"1e3b621f-8987-4404-980e-3335a0c60d4e","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735321997060,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):289
                                                                                Entropy (8bit):5.306639093417557
                                                                                Encrypted:false
                                                                                SSDEEP:6:YEQXJ2HXyRUL0IiHVoZcg1vRcR0YctDDoAvJf8dPeUkwRe9:YvXKXyPgZc0vdsGU8Ukee9
                                                                                MD5:91CC55112F9A976DC06D0BE25C0578AC
                                                                                SHA1:DBD7054A9E5B8286471D94F031597837626EFCC2
                                                                                SHA-256:55B94C7C2143DDE90AA7AF1E12BC99226B954C519E2E685C64F05D6C609C000C
                                                                                SHA-512:83EE8B68B90F21F88927723122F4B7D5B0745B627273139EAD3BE2A4BD391DDAD1AD65AF4AAEC443184298C57050B6BCF5C95835394B4FDA8DFEA61AE6F3461D
                                                                                Malicious:false
                                                                                Preview:{"analyticsData":{"responseGUID":"1e3b621f-8987-4404-980e-3335a0c60d4e","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735321997060,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):292
                                                                                Entropy (8bit):5.309887895067931
                                                                                Encrypted:false
                                                                                SSDEEP:6:YEQXJ2HXyRUL0IiHVoZcg1vRcR0YctDDoAvJfQ1rPeUkwRe9:YvXKXyPgZc0vdsGY16Ukee9
                                                                                MD5:4292CD79C97988DABB84B0FD6800881B
                                                                                SHA1:2E550C77BB6D649B6BCC04C587D32F40A1D57062
                                                                                SHA-256:89169085309FB27BDAA4B3F671F1F12ACEC35061CD44E361BD556DA9DBD0F6F3
                                                                                SHA-512:A3416210ED7246C172DB61CDB7108DF38429D6591F3B00502D181B4E3B74B77A99E3048EEFFA4D0047724F08206066EF5FE4F538CE243758142A6A5DF699922E
                                                                                Malicious:false
                                                                                Preview:{"analyticsData":{"responseGUID":"1e3b621f-8987-4404-980e-3335a0c60d4e","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735321997060,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):289
                                                                                Entropy (8bit):5.31644730943071
                                                                                Encrypted:false
                                                                                SSDEEP:6:YEQXJ2HXyRUL0IiHVoZcg1vRcR0YctDDoAvJfFldPeUkwRe9:YvXKXyPgZc0vdsGz8Ukee9
                                                                                MD5:094789BC56592EC5D8819198817F67B3
                                                                                SHA1:DBCD5CBBD73CD248D06C52280CFE4E2601212958
                                                                                SHA-256:3BD3673084F08E280421B1985414ED025CDF96312F6E801F80C79FF4AF1C700D
                                                                                SHA-512:FC59FE288027CCB5D9DF667DF5F81DC9067679580B68B7C3792CDDB593F695CC5990EFF4481C2258B1CB389E41ACBE4CE15B59EA3E1D4F53D6585CB52C843962
                                                                                Malicious:false
                                                                                Preview:{"analyticsData":{"responseGUID":"1e3b621f-8987-4404-980e-3335a0c60d4e","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735321997060,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):295
                                                                                Entropy (8bit):5.331549343500284
                                                                                Encrypted:false
                                                                                SSDEEP:6:YEQXJ2HXyRUL0IiHVoZcg1vRcR0YctDDoAvJfzdPeUkwRe9:YvXKXyPgZc0vdsGb8Ukee9
                                                                                MD5:436DF9BD60E217F5C017004DB77378B0
                                                                                SHA1:5829E936BB75CD6035D57DF07646C587827D85E6
                                                                                SHA-256:841BD1F482E6FFD02B48D4044386B7EBD4707B2A124C3FFEE8476A041447B9EA
                                                                                SHA-512:F47925C84721A74DF034AAAB6758CF48EA61B951EE52775AE3F5A69A3A4714992C7376BD82AB07E8A7E15CF1C74803137A212AFD882C3A4B72237ACD4FDD6FED
                                                                                Malicious:false
                                                                                Preview:{"analyticsData":{"responseGUID":"1e3b621f-8987-4404-980e-3335a0c60d4e","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735321997060,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):289
                                                                                Entropy (8bit):5.312152258979992
                                                                                Encrypted:false
                                                                                SSDEEP:6:YEQXJ2HXyRUL0IiHVoZcg1vRcR0YctDDoAvJfYdPeUkwRe9:YvXKXyPgZc0vdsGg8Ukee9
                                                                                MD5:7AE97B42A3932426C5F0EC61554DF1AD
                                                                                SHA1:72780104807A253F680617AB3DC9D034D1C7F44E
                                                                                SHA-256:1F621F662DDBE4BE1922FA07CE05415064B9766D17F430E9C9D2D48057924297
                                                                                SHA-512:F194A45D7B68BC520A6AC9727B1E6E85B7730216EECFE38692656C3433DFAFBAE97E834D6D49FAAE61409B1236137BF4311CD731110D85FC448DE7A32F91800D
                                                                                Malicious:false
                                                                                Preview:{"analyticsData":{"responseGUID":"1e3b621f-8987-4404-980e-3335a0c60d4e","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735321997060,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):284
                                                                                Entropy (8bit):5.298997933644804
                                                                                Encrypted:false
                                                                                SSDEEP:6:YEQXJ2HXyRUL0IiHVoZcg1vRcR0YctDDoAvJf+dPeUkwRe9:YvXKXyPgZc0vdsG28Ukee9
                                                                                MD5:58C1BFBAF209547E353AE72039E98657
                                                                                SHA1:F039021B6DD34343D6CB384FC8B5381EB2936F9D
                                                                                SHA-256:2960F5EA246DB8CBC4EECC75CAA089224C05CA13D981A66456E7626EC1D21717
                                                                                SHA-512:18F74F1D0599CAFF65498E1BF38367AD03FE3CC6FB5F783E4F5C8940D9E6766BB9AF4BA6925C3EE1B795F9D11FA40746900C628C3CE7A3E21928BEA027EB727F
                                                                                Malicious:false
                                                                                Preview:{"analyticsData":{"responseGUID":"1e3b621f-8987-4404-980e-3335a0c60d4e","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735321997060,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):291
                                                                                Entropy (8bit):5.295615835973581
                                                                                Encrypted:false
                                                                                SSDEEP:6:YEQXJ2HXyRUL0IiHVoZcg1vRcR0YctDDoAvJfbPtdPeUkwRe9:YvXKXyPgZc0vdsGDV8Ukee9
                                                                                MD5:8838098BEC36716755E5DB1B37209AC3
                                                                                SHA1:4D6690A048383B6155F853EDBFA1599053B05185
                                                                                SHA-256:3689DEFBE1C0CF381D5AE092A12F4C4A9C13736248EC955D26775A53C7EE473B
                                                                                SHA-512:AC09972447473F437D397DAEDAB81796D2AFC27DC12FA43F1BA7DE0935C9C393EAB900A3DDFC9E9CF88EF9D09B6980EF3F8840B65A90859302B843ADF26C5CAA
                                                                                Malicious:false
                                                                                Preview:{"analyticsData":{"responseGUID":"1e3b621f-8987-4404-980e-3335a0c60d4e","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735321997060,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):287
                                                                                Entropy (8bit):5.300121113410555
                                                                                Encrypted:false
                                                                                SSDEEP:6:YEQXJ2HXyRUL0IiHVoZcg1vRcR0YctDDoAvJf21rPeUkwRe9:YvXKXyPgZc0vdsG+16Ukee9
                                                                                MD5:7814516CB36A17180179BCD644CA52AF
                                                                                SHA1:A9C5BFCB386A5234432B13959C84F9F0E97AAC8F
                                                                                SHA-256:1D3DECE24401BAC614CADE414929BBB6FE3CDA30B38DBBF0F7C7C3B5CB04E184
                                                                                SHA-512:B1C88DDD32DC8FD9105EB1F4ACA030F2FDDEB943AD93826C26D0F2DC9F1088DF07F0C2C69F1DF0CEAFD3ECFEA0B8315B7E6AAD928B5BF79F21C98A104D36CEFE
                                                                                Malicious:false
                                                                                Preview:{"analyticsData":{"responseGUID":"1e3b621f-8987-4404-980e-3335a0c60d4e","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735321997060,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):1090
                                                                                Entropy (8bit):5.665969928694139
                                                                                Encrypted:false
                                                                                SSDEEP:24:Yv6Xegzv/amXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSrr:Yv4PBgkDMUJUAh8cvMv
                                                                                MD5:0480978F512006EDF4D6D83EFCC72A3E
                                                                                SHA1:75A7EA134A385E3CD134A238E928849AC31016F6
                                                                                SHA-256:959264A454CA3EEE69E4CFFB5C13D1D0CE83A7841A66655F1673A3729F177153
                                                                                SHA-512:0058CE421802FE19A7888E51FFA53757C54D3806316922075F201D9AD7D1B1DCCD9D8C8384A7E3ED2F69BA0959735033B64ED77A78855155DCE4A2BF64C6258A
                                                                                Malicious:false
                                                                                Preview:{"analyticsData":{"responseGUID":"1e3b621f-8987-4404-980e-3335a0c60d4e","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735321997060,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):286
                                                                                Entropy (8bit):5.277415728127787
                                                                                Encrypted:false
                                                                                SSDEEP:6:YEQXJ2HXyRUL0IiHVoZcg1vRcR0YctDDoAvJfshHHrPeUkwRe9:YvXKXyPgZc0vdsGUUUkee9
                                                                                MD5:8A5E8FFF4749032DEE7AA1DF190A4AEC
                                                                                SHA1:0CCD808EBD44FB919F50CB105F2614D8287B6FAF
                                                                                SHA-256:86A9D4AB595F6FCEE47480D17070CFDC3DAF14B2A3B82F7435BEFB9B3AD12BBE
                                                                                SHA-512:26D20E191A0B3F190C503B7B7553A6A1992415DBDC1315CBFAC46436A61736FCF2CAB19780410523468F98DC8D685737D4FCE294D7B8B7B0B76F4D11DB129B42
                                                                                Malicious:false
                                                                                Preview:{"analyticsData":{"responseGUID":"1e3b621f-8987-4404-980e-3335a0c60d4e","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735321997060,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):282
                                                                                Entropy (8bit):5.283813760045535
                                                                                Encrypted:false
                                                                                SSDEEP:6:YEQXJ2HXyRUL0IiHVoZcg1vRcR0YctDDoAvJTqgFCrPeUkwRe9:YvXKXyPgZc0vdsGTq16Ukee9
                                                                                MD5:B799F89EBDA7B271883149DCFE78D26E
                                                                                SHA1:CEA854C840B2C4B3A11BA3569BBE4B554DC2068A
                                                                                SHA-256:84E56DA4DE8DCDECA8B2EE1D7B1362C5ADDEDDE0DF8C33E0A70C4C96E5D7BCC0
                                                                                SHA-512:4E344C8D7402576D286CDABEAECDFDF2BD10183DF7C155C81D1E29B058C591AF50554E9AFE4E0EA1E2224CDFFB1B39D4A20FC0C25ECCC18DB2644CBDCF5F6B47
                                                                                Malicious:false
                                                                                Preview:{"analyticsData":{"responseGUID":"1e3b621f-8987-4404-980e-3335a0c60d4e","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735321997060,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):4
                                                                                Entropy (8bit):0.8112781244591328
                                                                                Encrypted:false
                                                                                SSDEEP:3:e:e
                                                                                MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                                SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                                SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                                SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                                Malicious:false
                                                                                Preview:....

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):2814
                                                                                Entropy (8bit):5.135448765739609
                                                                                Encrypted:false
                                                                                SSDEEP:24:YkMpTaanayYYjPZFcoRJEKHAWbX4GjNj0Se1hCfChhGT2gF752LS1Lw69BLg5BBA:YkephGo8SAuX3hWu6MT5dv06j819BQ
                                                                                MD5:FDDDC59207B42336667A21A8862363F7
                                                                                SHA1:94E334212F4E81E718EFF6E1FE232FA9F2226520
                                                                                SHA-256:C9DA5FACDB1B8D3DF40434CAF7E45D851DFF076B986C6FED11133036148342F7
                                                                                SHA-512:77C781CBCB8EAF316735C478CB9112DC6AEF6D847429256737365DFAF8CC1F6C3DF32C8356D28538E50A9AFCB54605B9FAD73E9B922ADBDD5B14CAD12A003307
                                                                                Malicious:false
                                                                                Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"ff941d5740195c3f2474dfc189f32f12","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1735143287000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"ac605ffd90e41b7af39ee1ae726e35fa","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1735143287000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"a9b4e296607c21e85b6c4fb6443becfd","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1735143287000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"2ae668e4061df8437abd58dadd22175d","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1735143287000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"e41e2f2cc7f0a52712d745b622c8354b","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1735143287000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"5e2521f787c8df2d5821d0d854bae088","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                                Category:dropped
                                                                                Size (bytes):12288
                                                                                Entropy (8bit):1.1886841459529511
                                                                                Encrypted:false
                                                                                SSDEEP:48:TGufl2GL7msEHUUUUUUUUaupSvR9H9vxFGiDIAEkGVvpuuN:lNVmswUUUUUUUU5p+FGSIt5N
                                                                                MD5:6E0331CB97212047C84A05FD9F608013
                                                                                SHA1:698678C3F0DB42419C6C7080CD2445644FCC0702
                                                                                SHA-256:631234DCF659AE25B10217D73C1FAA7B3CB931C1C4385999A6C81894671B1C42
                                                                                SHA-512:6591665999EE7225BB0B2D17126C4685C66E7218FDB1AAAC81C93DF1E3C96C2336EE5B94738323CD4B35FD6F4DC489BC960FA71955AF421C1F4871666B52C1FA
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:SQLite Rollback Journal
                                                                                Category:dropped
                                                                                Size (bytes):8720
                                                                                Entropy (8bit):1.6078195450751858
                                                                                Encrypted:false
                                                                                SSDEEP:48:7MEKUUUUUUUUUUauBvR9H9vxFGiDIAEkGVvsqFl2GL7msqy:7IUUUUUUUUUU5lFGSItiKVmsqy
                                                                                MD5:F61FE135E4D8B291981FBA563121414C
                                                                                SHA1:01A9795ECFC9075B1EFFFCA1CB6FFAE1E1A49266
                                                                                SHA-256:1418E549C7E931755A58ED07B6AD2A805AD5736151159177DA4F97416221EA13
                                                                                SHA-512:A40683595589EB79B93368074C0807E15BA3D665477F45847F9B8017E8C056D8022830F9E5E1806F61FB8721FCA497BDEE0C4B02C6208791770D63BA8C8EB98D
                                                                                Malicious:false
                                                                                Preview:.... .c...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):66726
                                                                                Entropy (8bit):5.392739213842091
                                                                                Encrypted:false
                                                                                SSDEEP:768:RNOpblrU6TBH44ADKZEgvD2tzg0rb/X1vr06JigL6VNzlNgwYyu:6a6TZ44ADEvDOzg0rb/lg5Nf7K
                                                                                MD5:416E938D2BCC7EAE8C32DDBAFA6C72B1
                                                                                SHA1:F600F363692592277B66ED6FF93A97A5B654C25D
                                                                                SHA-256:74A7B180DB635A01D20973BFD72EBDE64F1BE443443FABB3C45F095D458C9231
                                                                                SHA-512:C963673D33CD055D80D168999135084E7578E675305ECCC6BA59D802888EADEB586515C95AC48E7CB49A2615A359AD0A2CFB01849D3F9FB53360CC9E83BE32FB
                                                                                Malicious:false
                                                                                Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                                C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-25 11-14-38-659.log

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:ASCII text, with very long lines (393)
                                                                                Category:dropped
                                                                                Size (bytes):16525
                                                                                Entropy (8bit):5.345946398610936
                                                                                Encrypted:false
                                                                                SSDEEP:384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
                                                                                MD5:8947C10F5AB6CFFFAE64BCA79B5A0BE3
                                                                                SHA1:70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
                                                                                SHA-256:4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
                                                                                SHA-512:B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
                                                                                Malicious:false
                                                                                Preview:SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                                C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):15114
                                                                                Entropy (8bit):5.35777540426619
                                                                                Encrypted:false
                                                                                SSDEEP:384:qeEoAo9oApApJpUzpNphMpipOpqp+qjqNr4WrW9l7ld0w0I0n0I0EhiBidibvvvz:qzjMLqbCzfLMIM0kMCcK+B7r3YJ7mG4b
                                                                                MD5:345B376C82D40E0FC4DD492C3229CF33
                                                                                SHA1:F6CE82A8190517C012F22D39728F2EAF7EF10339
                                                                                SHA-256:829EEB3EC0D4E83B4C15E2D0DA6D4A3083F33E80918771A57906978FF69D1A0F
                                                                                SHA-512:3B91AA58416BCE043010C6886E45941C6DE1536701B21D569F7FD0ADB6A283AD6F578731EA4788C48470D54FCC52BEBCE750B4EA91DCF13CE622367E729E4397
                                                                                Malicious:false
                                                                                Preview:SessionID=350708f5-554b-4732-8102-d88d859592d3.1735143278680 Timestamp=2024-12-25T11:14:38:680-0500 ThreadID=7976 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=350708f5-554b-4732-8102-d88d859592d3.1735143278680 Timestamp=2024-12-25T11:14:38:682-0500 ThreadID=7976 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=350708f5-554b-4732-8102-d88d859592d3.1735143278680 Timestamp=2024-12-25T11:14:38:682-0500 ThreadID=7976 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=350708f5-554b-4732-8102-d88d859592d3.1735143278680 Timestamp=2024-12-25T11:14:38:682-0500 ThreadID=7976 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=350708f5-554b-4732-8102-d88d859592d3.1735143278680 Timestamp=2024-12-25T11:14:38:683-0500 ThreadID=7976 Component=ngl-lib_NglAppLib Description="SetConf

                                                                                C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):29752
                                                                                Entropy (8bit):5.3912898237705855
                                                                                Encrypted:false
                                                                                SSDEEP:768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2r5:l
                                                                                MD5:B8FE2966D792B63C8D3E7D793EE66BE8
                                                                                SHA1:8FD58E29F5B9171C260A3B04721DB7F1A2EC1242
                                                                                SHA-256:87B68725C3C7082971B7D1BFBB0140E8FD73E108C2EC1866527EC861532793E5
                                                                                SHA-512:C49A72A24EC66A77E517C538E961780DBEFFFDFCE576C3D7D4318C26A66C2CFF7B8500254ACD7CA10137CBC3F9442EFBE66C4E01A15E053C58AE7E4DABC316C5
                                                                                Malicious:false
                                                                                Preview:03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

                                                                                C:\Users\user\AppData\Local\Temp\acrocef_low\3974edcf-deda-4e50-a340-f02b86703fa9.tmp

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                                Category:dropped
                                                                                Size (bytes):1419751
                                                                                Entropy (8bit):7.976496077007677
                                                                                Encrypted:false
                                                                                SSDEEP:24576:/AYIGNPg5mOWL07oBGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:YZG+5bWLxBGZN3mlind9i4ufFXpAXkru
                                                                                MD5:67EE77CBB3D80A714C996E4D2140CA40
                                                                                SHA1:EDD898AD748F1768695534E1F4443577C0080D18
                                                                                SHA-256:7D85503F57F2F972A24DA634140A5B4FE63A9D7DE821702148EB45AA302F4293
                                                                                SHA-512:D9163FF6C99480051FBC03331F0CA209DB91AD6CCF968A4117DE5DF2052D83AA9B2D234AAD8CE5A1DCEA1F6E1FCE7DAB11AE2EA2E0CD2486173754F67762A13E
                                                                                Malicious:false
                                                                                Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                C:\Users\user\AppData\Local\Temp\acrocef_low\c6474ada-6355-4df0-b798-8181481884a3.tmp

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 647360
                                                                                Category:dropped
                                                                                Size (bytes):1407294
                                                                                Entropy (8bit):7.97605879016224
                                                                                Encrypted:false
                                                                                SSDEEP:24576:/yawYIGNPQbdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07mWL07oXGZd:3wZG2b3mlind9i4ufFXpAXkrfUs0CWLk
                                                                                MD5:CFE92F09B3CF5F1D659B8E273EA6BE32
                                                                                SHA1:5434B8D5E70B5C581C383413B92C835DD7E9D8CC
                                                                                SHA-256:6E57E3E8E384579FE6B1F8BE103EBD1DBC57FC80171A1E34CB87C29603FBD601
                                                                                SHA-512:838DF787F3032E647AFF8F311C829C5E2F39C47EC432BD0A51F6B262C0C5CB6F63802DCB2DD4F92EFC4C816372E65AEDF4E19D4346793D1D94A485A8FF94A60C
                                                                                Malicious:false
                                                                                Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                C:\Users\user\AppData\Local\Temp\acrocef_low\db6d38d2-be7b-43af-a6ac-5df922ace011.tmp

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                                Category:dropped
                                                                                Size (bytes):386528
                                                                                Entropy (8bit):7.9736851559892425
                                                                                Encrypted:false
                                                                                SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                                MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                                SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                                SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                                SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                                Malicious:false
                                                                                Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                                C:\Users\user\AppData\Local\Temp\acrocef_low\f3df78fc-4b5b-45e3-a42b-6e49366f3ceb.tmp

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                                Category:dropped
                                                                                Size (bytes):758601
                                                                                Entropy (8bit):7.98639316555857
                                                                                Encrypted:false
                                                                                SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9UI:O3Pjegf121YS8lkipdjMMNB1DofjgJJE
                                                                                MD5:E0C414FA00EC54ABF493C4E1A12B78BA
                                                                                SHA1:C34D20BB5FE6C68AE5F80225A8E15FECF3024EE2
                                                                                SHA-256:35E5559C0AB1970EF75CC482FB9B2F72CAE090C102D918EDC744DDC385DC5104
                                                                                SHA-512:BB42E63A264A83A0C8825DE784DFF56D49D6D76433CBC8E3D228AB267B12CE52FB4F0BD524955AE84FBE1D7185CB48EA0B6A0FCC3E9E93F4F227709B1E087EBF
                                                                                Malicious:false
                                                                                Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                                C:\Users\user\AppData\Local\Temp\doc.pdf

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\0442.pdf.exe
                                                                                File Type:PDF document, version 1.7, 6 pages
                                                                                Category:dropped
                                                                                Size (bytes):85137
                                                                                Entropy (8bit):7.7513343990244366
                                                                                Encrypted:false
                                                                                SSDEEP:1536:eyetDLuxUTpyWbzUGW7EmvP95imdqYKq6i97idLfnk:eyetMk1tCPfimdsq6ididL8
                                                                                MD5:17A9D7D59ED8076A38B9E48533A01A10
                                                                                SHA1:1EC63D0BECCCBCE15277A3C227E787131C1E8F74
                                                                                SHA-256:631C4D8C4D0DE76F18712484358E532BE32F2FA2F92D7FAB026406C346ACBCDA
                                                                                SHA-512:E3C8AD153864482AC0BDE7445DAFFF1DAC9DCBC48D83C99169388C2EEE832EDDB02B4A2553F60D81E93674F76880544F4C10F05098830E7931518D14DF1DCFED
                                                                                Malicious:false
                                                                                Preview:%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(ru) /StructTreeRoot 37 0 R/MarkInfo<</Marked true>>/Metadata 351 0 R/ViewerPreferences 352 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 6/Kids[ 3 0 R 26 0 R 28 0 R 30 0 R 32 0 R 34 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 12 0 R/F3 14 0 R/F4 19 0 R/F5 24 0 R>>/ExtGState<</GS10 10 0 R/GS11 11 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.32 841.92] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 1237>>..stream..x..Ko.6.....w.1)`...C.....Z4...r.z.!..F....J...).+.`.k...>....o4....._........V..<>.7_..>.=.T.6....h3...A.e+..U`...o_..O?.......{P....m..>m..`5..g......{w.F=......!L.w.....6.iLK.._..O.]...a.S..F...I....~.x.nL......}.;J|..>....d..L.....=...QB[.4p^[..t.dB...!.=.......v...]h.0F.......C....5&B....Yoz.n....c[W<........'. .1.9?...m.).hG.)!Zm...:..K(I.d...\..s..%.

                                                                                C:\Users\user\AppData\Local\Temp\doc2.pdf

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\0442.pdf.exe
                                                                                File Type:PDF document, version 1.7, 6 pages
                                                                                Category:dropped
                                                                                Size (bytes):85137
                                                                                Entropy (8bit):7.7513343990244366
                                                                                Encrypted:false
                                                                                SSDEEP:1536:eyetDLuxUTpyWbzUGW7EmvP95imdqYKq6i97idLfnk:eyetMk1tCPfimdsq6ididL8
                                                                                MD5:17A9D7D59ED8076A38B9E48533A01A10
                                                                                SHA1:1EC63D0BECCCBCE15277A3C227E787131C1E8F74
                                                                                SHA-256:631C4D8C4D0DE76F18712484358E532BE32F2FA2F92D7FAB026406C346ACBCDA
                                                                                SHA-512:E3C8AD153864482AC0BDE7445DAFFF1DAC9DCBC48D83C99169388C2EEE832EDDB02B4A2553F60D81E93674F76880544F4C10F05098830E7931518D14DF1DCFED
                                                                                Malicious:false
                                                                                Preview:%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(ru) /StructTreeRoot 37 0 R/MarkInfo<</Marked true>>/Metadata 351 0 R/ViewerPreferences 352 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 6/Kids[ 3 0 R 26 0 R 28 0 R 30 0 R 32 0 R 34 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 12 0 R/F3 14 0 R/F4 19 0 R/F5 24 0 R>>/ExtGState<</GS10 10 0 R/GS11 11 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.32 841.92] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 1237>>..stream..x..Ko.6.....w.1)`...C.....Z4...r.z.!..F....J...).+.`.k...>....o4....._........V..<>.7_..>.=.T.6....h3...A.e+..U`...o_..O?.......{P....m..>m..`5..g......{w.F=......!L.w.....6.iLK.._..O.]...a.S..F...I....~.x.nL......}.;J|..>....d..L.....=...QB[.4p^[..t.dB...!.=.......v...]h.0F.......C....5&B....Yoz.n....c[W<........'. .1.9?...m.).hG.)!Zm...:..K(I.d...\..s..%.

                                                                                C:\Users\user\AppData\Local\Temp\ms.msi

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\0442.pdf.exe
                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
                                                                                Category:dropped
                                                                                Size (bytes):11553792
                                                                                Entropy (8bit):7.938196666665725
                                                                                Encrypted:false
                                                                                SSDEEP:196608:cJg0ov2gTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:CRJoLA9OIlWy58/19J+iYNPEoHg0
                                                                                MD5:B02F581793BE146506FACC3C6AEEBC32
                                                                                SHA1:DB1CB3BD3744C77E6E3253CF4480E177A358669A
                                                                                SHA-256:1666B1C2AE1AF47B252ABBC69C80281F81A7EA979F1D784FADC19ED6FEEC59F0
                                                                                SHA-512:8113F897F5936F6393746635D2BEDCEB410DBD1F825DF28C65D96EC3390509755E63E01C5311EC0A78B2FF48579D634C5D77CED80FBA01B68D2E9A08223B8E0A
                                                                                Malicious:false
                                                                                Preview:......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                C:\Users\user\AppData\Local\Temp\start.bat

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\0442.pdf.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):130
                                                                                Entropy (8bit):4.924404357134264
                                                                                Encrypted:false
                                                                                SSDEEP:3:mKDb2nppLJTXZkRErG+fyM1K/RFofD6ANntch9wQn:hb4ZGaH1MUmy2Nn
                                                                                MD5:AA3AAB4A5BCA1D06B08C6F5D6362A5D0
                                                                                SHA1:486D423A2B689CC119CE95DFCDC018C7B552FA24
                                                                                SHA-256:A0A569883E851B4B965088F9ED9F9FBA80803B47AC6E6DD4B07DF60435184CD4
                                                                                SHA-512:2B5F84DFB399F313D11A8BFA2F3F3338CF69711D5C7B6D86E7F876C8B64DB3A664D1E3E4A4A4B0066A6949DE4E64CBA416A40BE56461556F9216EE82DE23D913
                                                                                Malicious:false
                                                                                Preview:@echo of..ping 8.8.8.8..cls..del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\*.*" /q..cls..exit

                                                                                C:\Windows\Installer\5511f4.msi

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
                                                                                Category:dropped
                                                                                Size (bytes):11553792
                                                                                Entropy (8bit):7.938196666665725
                                                                                Encrypted:false
                                                                                SSDEEP:196608:cJg0ov2gTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:CRJoLA9OIlWy58/19J+iYNPEoHg0
                                                                                MD5:B02F581793BE146506FACC3C6AEEBC32
                                                                                SHA1:DB1CB3BD3744C77E6E3253CF4480E177A358669A
                                                                                SHA-256:1666B1C2AE1AF47B252ABBC69C80281F81A7EA979F1D784FADC19ED6FEEC59F0
                                                                                SHA-512:8113F897F5936F6393746635D2BEDCEB410DBD1F825DF28C65D96EC3390509755E63E01C5311EC0A78B2FF48579D634C5D77CED80FBA01B68D2E9A08223B8E0A
                                                                                Malicious:false
                                                                                Preview:......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                C:\Windows\Installer\5511f7.msi

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
                                                                                Category:dropped
                                                                                Size (bytes):11553792
                                                                                Entropy (8bit):7.938196666665725
                                                                                Encrypted:false
                                                                                SSDEEP:196608:cJg0ov2gTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:CRJoLA9OIlWy58/19J+iYNPEoHg0
                                                                                MD5:B02F581793BE146506FACC3C6AEEBC32
                                                                                SHA1:DB1CB3BD3744C77E6E3253CF4480E177A358669A
                                                                                SHA-256:1666B1C2AE1AF47B252ABBC69C80281F81A7EA979F1D784FADC19ED6FEEC59F0
                                                                                SHA-512:8113F897F5936F6393746635D2BEDCEB410DBD1F825DF28C65D96EC3390509755E63E01C5311EC0A78B2FF48579D634C5D77CED80FBA01B68D2E9A08223B8E0A
                                                                                Malicious:false
                                                                                Preview:......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                C:\Windows\Installer\MSI186C.tmp

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):292991
                                                                                Entropy (8bit):4.840189477976563
                                                                                Encrypted:false
                                                                                SSDEEP:3072:P4oy2KjcC2jcmFDX/vjcJGUjcmFDX/rjcmFDX/dZ+cNbynfM:P4oy25DXmNDXLDXX+cNbynfM
                                                                                MD5:A970C44274E3DAA2BE46A593BDF1DFC8
                                                                                SHA1:EA4842EABB3679DD1A2E069960D7BAD09EACB834
                                                                                SHA-256:04A530D63D77533FF5AF3E1C826CA72F5C19787B04B8A9FA4E19398777790A20
                                                                                SHA-512:764FE781F67D52D5A90F6F1EC5CD2DF49D3A293C3C6EDBA45086A52CF345C41A977D2C4FDED5CB93645926B95E05ADB6DBDB6D240C8C773851CF2C539BCF5C8A
                                                                                Malicious:false
                                                                                Preview:...@IXOS.@.....@.Y.Y.@.....@.....@.....@.....@.....@......&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}..LiteManager Pro - Server..ms.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}.....@.....@.....@.....@.......@.....@.....@.......@......LiteManager Pro - Server......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{3244CDE6-6414-4399-B0D5-424562747210}0.C:\Program Files (x86)\LiteManager Pro - Server\.@.......@.....@.....@......&.{4D4D18AA-F74D-4291-B5A9-93C3CC48B75F}5.C:\Program Files (x86)\LiteManager Pro - Server\Lang\.@.......@.....@.....@......&.{641F154A-FEEF-4FA7-B5BF-414DB1DB8390}C.C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe.@.......@.....@.....@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}0.C:\Program Files (x86)\LiteManager Pro - Server\.@.......@.....@.....@......&.{596F4636-5D51-49F

                                                                                C:\Windows\Installer\SourceHash{71FFA475-24D5-44FB-A51F-39B699E3D82C}

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):1.1603065050834016
                                                                                Encrypted:false
                                                                                SSDEEP:12:JSbX72FjiNZAGiLIlHVRpBh/7777777777777777777777777vDHFfbe2vtJW4pC:JoQI5V9dviGF
                                                                                MD5:FFF76757F67C60E629A1712BEDF965D4
                                                                                SHA1:9726F2492F70AEB7F9322A0AEC0F111AA324727E
                                                                                SHA-256:E5E965818875BA2746081F4E7AF715EDC8CE34E0708E649D4DACE603599126BC
                                                                                SHA-512:16D507EFAC1E89E3A80074CBFBB18A94E1E907A7E72E6CF5606E20DDBA22535AFB8BDB3B35B43E5F9316D1B95BB844FE723206EBD2F74BCFEEE46C9BFE86B6FD
                                                                                Malicious:false
                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):1.784872839269826
                                                                                Encrypted:false
                                                                                SSDEEP:48:Z8Ph+uRc06WXJSjT5p9cgY9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YYo9ISB29l2:Uh+1JjT2Gm0WlfPu2qC0WlfIF/
                                                                                MD5:20657139A279B76F9D304274D748D5B7
                                                                                SHA1:99896ED9496B22E0B9FC2314A683D4F1C27ADC01
                                                                                SHA-256:DAC31C38433670EE8789F6C3D9DE0D106EAFFB38B9DF76A1AA054B01123B57FF
                                                                                SHA-512:CECBD223799E2918354D4AE80D64E71C4F2C51D28C97C84A84FA7F214110A7FCEBFD34FEEBA4D4A5D9F4346BEDA9CEAD0A663ACB7F4A4C4330AC0E0A15EE4029
                                                                                Malicious:false
                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):53248
                                                                                Entropy (8bit):4.351781833522881
                                                                                Encrypted:false
                                                                                SSDEEP:384:AvFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZUNeLNek+vDFNe+TNy:+MAyYdTmPJbgqcnDcCNy
                                                                                MD5:CA680899D9330BEB85E6351E6DC0D27B
                                                                                SHA1:41E89E582F58FB2A4ED06FA3BF796A1DAAC5CB6C
                                                                                SHA-256:EAB5DC45781E92CD5CF953016757B1E6F2ED7A0B5A97CC0945B19A8FBC1A85F2
                                                                                SHA-512:3817BD6EC345F96631E6CBF6C8DD384ACB17D912B1EC69D959F3AA15C05226D5FE3B5E9807D42D0E63589AABCEADFBE8BD5F293D8069DF689D12498E05842286
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(........0...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....0.......@..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):57344
                                                                                Entropy (8bit):4.774504587732323
                                                                                Encrypted:false
                                                                                SSDEEP:768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
                                                                                MD5:5EBCB54B76FBE24FFF9D3BD74E274234
                                                                                SHA1:6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
                                                                                SHA-256:504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
                                                                                SHA-512:5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):4.31126714354722
                                                                                Encrypted:false
                                                                                SSDEEP:384:EvFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZMwQE3vGYksuektm6yysZc8:SMAyYdTmPJbgqcnDcmwQE/RkHRRNS
                                                                                MD5:6A4AFFF2CD33613166B37A0DAB99BD41
                                                                                SHA1:FBC0F1696213B459D099A5809D79CFC01253880F
                                                                                SHA-256:53C1AE4962663E82D3AAC7C4A6CBE3D53E05D6948ADAE6391A2748396ACF98FE
                                                                                SHA-512:7B61D32E4AD38BC21E86559BFFA49A334CCB6184E595CB43F2D60A2A77C86B31D07B1A9D1F8FBE69E9AAD7E096952D765404BEBC494E73BD992642EB6B82E3A7
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...p...............P....@.........................................................................4T..(........+...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....+.......0..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):57344
                                                                                Entropy (8bit):4.774504587732323
                                                                                Encrypted:false
                                                                                SSDEEP:768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
                                                                                MD5:5EBCB54B76FBE24FFF9D3BD74E274234
                                                                                SHA1:6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
                                                                                SHA-256:504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
                                                                                SHA-512:5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):57344
                                                                                Entropy (8bit):4.774504587732323
                                                                                Encrypted:false
                                                                                SSDEEP:768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
                                                                                MD5:5EBCB54B76FBE24FFF9D3BD74E274234
                                                                                SHA1:6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
                                                                                SHA-256:504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
                                                                                SHA-512:5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):432221
                                                                                Entropy (8bit):5.37517788115078
                                                                                Encrypted:false
                                                                                SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaux:zTtbmkExhMJCIpEr8
                                                                                MD5:386286F8A6683D88D624555F590C1C49
                                                                                SHA1:18C9BB43E7A047ABB535DCA30B457D2B979113F9
                                                                                SHA-256:B059EE2F07B114B9377D634597C688AE1B8DB1F48B0B2E737959AA92CE3589C6
                                                                                SHA-512:E39E19F6D0F5BC0F8CB784741FECC4B42A08EA6B3E154FC996741DAF287D7F04918B695FB3CB8043B16911631E61BCFEA85E2A1C655978DE0B0CD8E67E2C4884
                                                                                Malicious:false
                                                                                Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):55
                                                                                Entropy (8bit):4.306461250274409
                                                                                Encrypted:false
                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                Malicious:false
                                                                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                C:\Windows\Temp\~DF059E19C7A22C7C5E.TMP

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                Category:dropped
                                                                                Size (bytes):32768
                                                                                Entropy (8bit):1.4140121956033092
                                                                                Encrypted:false
                                                                                SSDEEP:48:RlWuDI+CFXJFT55qq9cgY9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YYo9ISB29lOp:PWldT3OGm0WlfPu2qC0WlfIF/
                                                                                MD5:110DAE8DD37EF98DBC90F95252829539
                                                                                SHA1:85BC2375B3EB98261513FF342DAF54C5B7E31557
                                                                                SHA-256:C476E3C8CA63BF98B4D094622BBD2BB751E922133D2A5332013BBD62BE8675C7
                                                                                SHA-512:1360AD3654E499CE0C6513EE6CD5D4FF7ECFB5843F6A68C194578B6A47BAD520D0C4C38872D1AAD5EB5024EF8D381552B128904BEFA291111BBB468F5DB859C8
                                                                                Malicious:false
                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Temp\~DF1DD5A66FCA1BCC73.TMP

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                Category:dropped
                                                                                Size (bytes):32768
                                                                                Entropy (8bit):1.4140121956033092
                                                                                Encrypted:false
                                                                                SSDEEP:48:RlWuDI+CFXJFT55qq9cgY9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YYo9ISB29lOp:PWldT3OGm0WlfPu2qC0WlfIF/
                                                                                MD5:110DAE8DD37EF98DBC90F95252829539
                                                                                SHA1:85BC2375B3EB98261513FF342DAF54C5B7E31557
                                                                                SHA-256:C476E3C8CA63BF98B4D094622BBD2BB751E922133D2A5332013BBD62BE8675C7
                                                                                SHA-512:1360AD3654E499CE0C6513EE6CD5D4FF7ECFB5843F6A68C194578B6A47BAD520D0C4C38872D1AAD5EB5024EF8D381552B128904BEFA291111BBB468F5DB859C8
                                                                                Malicious:false
                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Temp\~DF2BEBCD2C7E878169.TMP

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):1.784872839269826
                                                                                Encrypted:false
                                                                                SSDEEP:48:Z8Ph+uRc06WXJSjT5p9cgY9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YYo9ISB29l2:Uh+1JjT2Gm0WlfPu2qC0WlfIF/
                                                                                MD5:20657139A279B76F9D304274D748D5B7
                                                                                SHA1:99896ED9496B22E0B9FC2314A683D4F1C27ADC01
                                                                                SHA-256:DAC31C38433670EE8789F6C3D9DE0D106EAFFB38B9DF76A1AA054B01123B57FF
                                                                                SHA-512:CECBD223799E2918354D4AE80D64E71C4F2C51D28C97C84A84FA7F214110A7FCEBFD34FEEBA4D4A5D9F4346BEDA9CEAD0A663ACB7F4A4C4330AC0E0A15EE4029
                                                                                Malicious:false
                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Temp\~DF2DB8AEE9EBEC810F.TMP

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                Category:dropped
                                                                                Size (bytes):32768
                                                                                Entropy (8bit):1.4140121956033092
                                                                                Encrypted:false
                                                                                SSDEEP:48:RlWuDI+CFXJFT55qq9cgY9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YYo9ISB29lOp:PWldT3OGm0WlfPu2qC0WlfIF/
                                                                                MD5:110DAE8DD37EF98DBC90F95252829539
                                                                                SHA1:85BC2375B3EB98261513FF342DAF54C5B7E31557
                                                                                SHA-256:C476E3C8CA63BF98B4D094622BBD2BB751E922133D2A5332013BBD62BE8675C7
                                                                                SHA-512:1360AD3654E499CE0C6513EE6CD5D4FF7ECFB5843F6A68C194578B6A47BAD520D0C4C38872D1AAD5EB5024EF8D381552B128904BEFA291111BBB468F5DB859C8
                                                                                Malicious:false
                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Temp\~DF3E5BF2471C3714A1.TMP

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):32768
                                                                                Entropy (8bit):0.06712149920142403
                                                                                Encrypted:false
                                                                                SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO0AbuJ2vWEJWM1AVky6lO:2F0i8n0itFzDHFfbe2vtJWuO
                                                                                MD5:0E8B611CF5EFD5D7F4C345B5C4E1443E
                                                                                SHA1:88A30155409C7EF376FB080774D617FCD51EEB6B
                                                                                SHA-256:1DDAF54603271883C75BDB3FB0D5D7FA324500D3ECC46649D583F73FE82FBB4D
                                                                                SHA-512:6AF62D7F4423FD2635320D0E94D40F31502581BF4CE800729F8040E6A962D4E178DDA94B8C10499FAF03C37BF914598A14B1539FD2A18B83A90958235CA131EE
                                                                                Malicious:false
                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Temp\~DF4902D850E215DBB6.TMP

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):73728
                                                                                Entropy (8bit):0.22078609821458883
                                                                                Encrypted:false
                                                                                SSDEEP:48:PHwmFSB29lOd5YpRXd5YNd5YGd5YMd5Yu9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad9:PH5FqC0WlfVm0WlfPuh
                                                                                MD5:5E02AB17D44237F4E1F158A9EB7CB37E
                                                                                SHA1:F6EB35C0438582EFF26C7797FCE78D69F8E52BE2
                                                                                SHA-256:C7A977777109DDABEC404C8D764F169FA4C644ED9CC7316B90EA92DB2E18FD03
                                                                                SHA-512:771F44813771A5F1FF747B6BF60805F86BA82CC37E3DF571A80891B0D7AF60972EDD58BDDFA12AFC9C368030181033E10DBAC7F8B1DEFDD601C911F90EB2FB4A
                                                                                Malicious:false
                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Temp\~DF4CD98377568A0A18.TMP

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):1.784872839269826
                                                                                Encrypted:false
                                                                                SSDEEP:48:Z8Ph+uRc06WXJSjT5p9cgY9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YYo9ISB29l2:Uh+1JjT2Gm0WlfPu2qC0WlfIF/
                                                                                MD5:20657139A279B76F9D304274D748D5B7
                                                                                SHA1:99896ED9496B22E0B9FC2314A683D4F1C27ADC01
                                                                                SHA-256:DAC31C38433670EE8789F6C3D9DE0D106EAFFB38B9DF76A1AA054B01123B57FF
                                                                                SHA-512:CECBD223799E2918354D4AE80D64E71C4F2C51D28C97C84A84FA7F214110A7FCEBFD34FEEBA4D4A5D9F4346BEDA9CEAD0A663ACB7F4A4C4330AC0E0A15EE4029
                                                                                Malicious:false
                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Temp\~DF68E3D5A61E333701.TMP

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):512
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3::
                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                Malicious:false
                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Temp\~DF8F7A50411E8F0ED9.TMP

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):512
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3::
                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                Malicious:false
                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Temp\~DF9A3C21EA7B6E1F53.TMP

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):512
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3::
                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                Malicious:false
                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Temp\~DFAE4B5E7ECBA685CE.TMP

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):512
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3::
                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                Malicious:false
                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\Temp\~DFF560FDBF33EC6D5B.TMP

                                                                                Download File
                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):512
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3::
                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                Malicious:false
                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                Entropy (8bit):7.988555676370944
                                                                                TrID:
                                                                                • Win64 Executable GUI (202006/5) 92.65%
                                                                                • Win64 Executable (generic) (12005/4) 5.51%
                                                                                • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                • DOS Executable Generic (2002/1) 0.92%
                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                File name:0442.pdf.exe
                                                                                File size:11'409'543 bytes
                                                                                MD5:4f6b2b9ee57c50d6c505d0cdada4803e
                                                                                SHA1:ad7dee6f1f71c4fe6299170a160592f139390e12
                                                                                SHA256:62410e8399acf7834c74012783bde3fe9ff244e048141c4a96a65bec06895f37
                                                                                SHA512:43607bd5bd78dea051340a684ad3311172adc590e5ffcd8a7c576e3f6ddba7e13750bab2a957b4d9fdec0d68b67d5391e779ee625006d00b82a65ecfc62525ce
                                                                                SSDEEP:196608:rqwdhlYLDYm+q6yU4zpDKpuLkQ9aP8F5hidaKsv7kDXFd+bIYW2LJjIeTF:Nw3Yi6yU4zpDeuREkF5PlgP+0ijIeh
                                                                                TLSH:75B6334AF79008F8E0E6F67485778425E6723D4E1338A59F57A83A2B7E773118C36722
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

                                                                                File Icon

                                                                                Icon Hash:0fd88dc89ea7861b

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x140032ee0
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x140000000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x66409723 [Sun May 12 10:17:07 2024 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:5
                                                                                OS Version Minor:2
                                                                                File Version Major:5
                                                                                File Version Minor:2
                                                                                Subsystem Version Major:5
                                                                                Subsystem Version Minor:2
                                                                                Import Hash:b1c5b1beabd90d9fdabd1df0779ea832

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                dec eax
                                                                                sub esp, 28h
                                                                                call 00007F972CDE74F8h
                                                                                dec eax
                                                                                add esp, 28h
                                                                                jmp 00007F972CDE6E8Fh
                                                                                int3
                                                                                int3
                                                                                dec eax
                                                                                mov eax, esp
                                                                                dec eax
                                                                                mov dword ptr [eax+08h], ebx
                                                                                dec eax
                                                                                mov dword ptr [eax+10h], ebp
                                                                                dec eax
                                                                                mov dword ptr [eax+18h], esi
                                                                                dec eax
                                                                                mov dword ptr [eax+20h], edi
                                                                                inc ecx
                                                                                push esi
                                                                                dec eax
                                                                                sub esp, 20h
                                                                                dec ebp
                                                                                mov edx, dword ptr [ecx+38h]
                                                                                dec eax
                                                                                mov esi, edx
                                                                                dec ebp
                                                                                mov esi, eax
                                                                                dec eax
                                                                                mov ebp, ecx
                                                                                dec ecx
                                                                                mov edx, ecx
                                                                                dec eax
                                                                                mov ecx, esi
                                                                                dec ecx
                                                                                mov edi, ecx
                                                                                inc ecx
                                                                                mov ebx, dword ptr [edx]
                                                                                dec eax
                                                                                shl ebx, 04h
                                                                                dec ecx
                                                                                add ebx, edx
                                                                                dec esp
                                                                                lea eax, dword ptr [ebx+04h]
                                                                                call 00007F972CDE6313h
                                                                                mov eax, dword ptr [ebp+04h]
                                                                                and al, 66h
                                                                                neg al
                                                                                mov eax, 00000001h
                                                                                sbb edx, edx
                                                                                neg edx
                                                                                add edx, eax
                                                                                test dword ptr [ebx+04h], edx
                                                                                je 00007F972CDE7023h
                                                                                dec esp
                                                                                mov ecx, edi
                                                                                dec ebp
                                                                                mov eax, esi
                                                                                dec eax
                                                                                mov edx, esi
                                                                                dec eax
                                                                                mov ecx, ebp
                                                                                call 00007F972CDE9037h
                                                                                dec eax
                                                                                mov ebx, dword ptr [esp+30h]
                                                                                dec eax
                                                                                mov ebp, dword ptr [esp+38h]
                                                                                dec eax
                                                                                mov esi, dword ptr [esp+40h]
                                                                                dec eax
                                                                                mov edi, dword ptr [esp+48h]
                                                                                dec eax
                                                                                add esp, 20h
                                                                                inc ecx
                                                                                pop esi
                                                                                ret
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                dec eax
                                                                                sub esp, 48h
                                                                                dec eax
                                                                                lea ecx, dword ptr [esp+20h]
                                                                                call 00007F972CDD58A3h
                                                                                dec eax
                                                                                lea edx, dword ptr [00025747h]
                                                                                dec eax
                                                                                lea ecx, dword ptr [esp+20h]
                                                                                call 00007F972CDE80F2h
                                                                                int3
                                                                                jmp 00007F972CDEE2D4h
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3

                                                                                Rich Headers

                                                                                Programming Language:
                                                                                • [ C ] VS2008 SP1 build 30729
                                                                                • [IMP] VS2008 SP1 build 30729

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x597a00x34.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x597d40x50.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000x154f4.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x6a0000x306c.pdata
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x970.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x536c00x54.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x537800x28.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4b3f00x140.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x480000x508.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x588bc0x120.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x10000x4676e0x46800f06bb06e02377ae8b223122e53be35c2False0.5372340425531915data6.47079645411382IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rdata0x480000x128c40x12a002de06d4a6920a6911e64ff20000ea72fFalse0.4499003775167785data5.273999097784603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .data0x5b0000xe75c0x1a000dbdb901a7d477980097e42e511a94fbFalse0.28275240384615385data3.2571023907881185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .pdata0x6a0000x306c0x3200b0ce0f057741ad2a4ef4717079fa34e9False0.483359375data5.501810413666288IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .didat0x6e0000x3600x4001fcc7b1d7a02443319f8fcc2be4ca936False0.2578125data3.0459938492946015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                _RDATA0x6f0000x15c0x2003f331ec50f09ba861beaf955b33712d5False0.408203125data3.3356393424384843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x700000x154f40x15600830fe0401acd1728e669a91fa1858e36False0.2520559210526316data4.6583703321340835IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x860000x9700xa0077a9ddfc47a5650d6eebbcc823e39532False0.52421875data5.336289720085303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                PNG0x705540xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                                                PNG0x7109c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                                                RT_ICON0x726480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 60472 x 60472 px/m0.14468236129184905
                                                                                RT_DIALOG0x82e700x286dataEnglishUnited States0.5092879256965944
                                                                                RT_DIALOG0x830f80x13adataEnglishUnited States0.60828025477707
                                                                                RT_DIALOG0x832340xecdataEnglishUnited States0.6991525423728814
                                                                                RT_DIALOG0x833200x12edataEnglishUnited States0.5927152317880795
                                                                                RT_DIALOG0x834500x338dataEnglishUnited States0.45145631067961167
                                                                                RT_DIALOG0x837880x252dataEnglishUnited States0.5757575757575758
                                                                                RT_STRING0x839dc0x1e2dataEnglishUnited States0.3900414937759336
                                                                                RT_STRING0x83bc00x1ccdataEnglishUnited States0.4282608695652174
                                                                                RT_STRING0x83d8c0x1b8dataEnglishUnited States0.45681818181818185
                                                                                RT_STRING0x83f440x146dataEnglishUnited States0.5153374233128835
                                                                                RT_STRING0x8408c0x46cdataEnglishUnited States0.3454063604240283
                                                                                RT_STRING0x844f80x166dataEnglishUnited States0.49162011173184356
                                                                                RT_STRING0x846600x152dataEnglishUnited States0.5059171597633136
                                                                                RT_STRING0x847b40x10adataEnglishUnited States0.49624060150375937
                                                                                RT_STRING0x848c00xbcdataEnglishUnited States0.6329787234042553
                                                                                RT_STRING0x8497c0x1c0dataEnglishUnited States0.5178571428571429
                                                                                RT_STRING0x84b3c0x250dataEnglishUnited States0.44256756756756754
                                                                                RT_GROUP_ICON0x84d8c0x14data1.15
                                                                                RT_MANIFEST0x84da00x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.39786666666666665

                                                                                Imports

                                                                                DLLImport
                                                                                KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
                                                                                OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                gdiplus.dllGdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

                                                                                Possible Origin

                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                EnglishUnited States

                                                                                Network Behavior

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 25, 2024 17:14:51.819722891 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:51.833385944 CET4974780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:51.850236893 CET497488080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:51.943408012 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:51.943872929 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:51.958348036 CET8049747101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:51.958441019 CET4974780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:51.970360041 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:51.970392942 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:51.976269960 CET808049748101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:51.976849079 CET497488080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:52.001658916 CET4974780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:52.001738071 CET4974780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:52.007046938 CET497488080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:52.007181883 CET497488080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:52.090029001 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:52.090035915 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:52.121200085 CET8049747101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:52.121206999 CET8049747101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:52.126476049 CET808049748101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:52.126594067 CET808049748101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:53.490300894 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:53.490437984 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:53.490474939 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:53.490494013 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:53.490511894 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:53.610096931 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:53.610110998 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:53.610141039 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:53.610153913 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:54.147437096 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:54.190809965 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:54.543502092 CET8049747101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:54.543601036 CET4974780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:54.543791056 CET4974780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:54.561148882 CET808049748101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:54.561223030 CET497488080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:54.561364889 CET497488080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:54.664460897 CET8049747101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:54.707195997 CET808049748101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:54.991230011 CET4975280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:55.017318964 CET497538080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:55.112078905 CET8049752101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:55.119240046 CET4975280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:55.136889935 CET808049753101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:55.143356085 CET497538080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:55.163198948 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:55.209120035 CET4975280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:55.209196091 CET4975280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:55.209301949 CET497538080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:55.209301949 CET497538080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:55.221676111 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:55.330818892 CET8049752101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:55.330826998 CET8049752101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:55.330919981 CET808049753101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:55.330925941 CET808049753101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:56.178407907 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:56.221529007 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:57.194031954 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:57.237454891 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:57.732666969 CET8049752101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:57.734252930 CET808049753101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:57.734329939 CET4975280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:57.734388113 CET4975280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:57.734396935 CET497538080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:57.734627008 CET497538080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:57.853966951 CET8049752101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:57.854026079 CET808049753101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:57.924963951 CET4975580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:57.926749945 CET497568080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:58.047094107 CET8049755101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:58.047161102 CET4975580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:58.048719883 CET808049756101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:58.048801899 CET497568080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:58.159271955 CET4975580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:58.159271955 CET4975580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:58.174813032 CET497568080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:58.174813032 CET497568080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:58.209528923 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:58.252772093 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:14:58.282641888 CET8049755101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:58.282655001 CET8049755101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:58.298247099 CET808049756101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:58.298257113 CET808049756101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:59.226660967 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:14:59.268393993 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:00.240886927 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:00.284040928 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:00.640944958 CET8049755101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:00.643274069 CET4975580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:00.643403053 CET4975580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:00.693263054 CET4975880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:00.763320923 CET8049755101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:00.818615913 CET8049758101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:00.818722010 CET4975880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:00.831003904 CET4975880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:00.831135988 CET4975880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:00.957277060 CET8049758101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:00.957288980 CET8049758101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:01.256477118 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:01.299654007 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:02.257060051 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:02.299653053 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:03.272361040 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:03.315367937 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:03.421484947 CET8049758101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:03.421665907 CET4975880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:03.421751976 CET4975880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:03.541246891 CET8049758101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:04.240906000 CET4975980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:04.288106918 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:04.330914021 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:04.362214088 CET8049759101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:04.362286091 CET4975980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:04.378006935 CET4975980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:04.378225088 CET4975980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:04.501583099 CET8049759101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:04.501722097 CET8049759101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:05.303344011 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:05.346527100 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:05.903867006 CET808049756101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:05.903963089 CET497568080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:05.904036045 CET497568080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:05.943161964 CET497608080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:06.023631096 CET808049756101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:06.062714100 CET808049760101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:06.062774897 CET497608080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:06.081070900 CET497608080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:06.081070900 CET497608080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:06.200649023 CET808049760101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:06.200660944 CET808049760101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:06.320875883 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:06.377801895 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:06.951539040 CET8049759101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:06.951719999 CET4975980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:06.951961994 CET4975980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:07.037416935 CET4976180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:07.074275017 CET8049759101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:07.157169104 CET8049761101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:07.157550097 CET4976180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:07.175193071 CET4976180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:07.175271034 CET4976180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:07.296171904 CET8049761101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:07.296178102 CET8049761101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:07.320295095 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:07.362210035 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:08.350413084 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:08.393420935 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:08.652812004 CET808049760101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:08.652863026 CET497608080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:08.653107882 CET497608080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:08.676547050 CET497628080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:08.772541046 CET808049760101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:08.796854973 CET808049762101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:08.796916962 CET497628080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:08.815390110 CET497628080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:08.815399885 CET497628080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:08.935033083 CET808049762101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:08.935049057 CET808049762101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:09.365780115 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:09.409058094 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:09.749542952 CET8049761101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:09.749682903 CET4976180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:09.749684095 CET4976180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:09.769474030 CET4976380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:09.869891882 CET8049761101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:09.889003992 CET8049763101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:09.889238119 CET4976380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:09.909116030 CET4976380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:09.909116030 CET4976380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:10.029022932 CET8049763101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:10.029038906 CET8049763101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:10.383865118 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:10.440288067 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:11.386495113 CET808049762101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:11.386650085 CET497628080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:11.386749029 CET497628080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:11.397641897 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:11.416311979 CET497648080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:11.440284967 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:11.506546974 CET808049762101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:11.536386013 CET808049764101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:11.536467075 CET497648080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:11.549731016 CET497648080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:11.549777985 CET497648080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:11.669336081 CET808049764101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:11.669353008 CET808049764101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:12.513658047 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:12.513672113 CET8049763101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:12.513792992 CET4976380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:12.513938904 CET4976380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:12.565357924 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:12.612973928 CET4976580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:12.639537096 CET8049763101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:12.732662916 CET8049765101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:12.732856989 CET4976580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:12.753336906 CET4976580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:12.753405094 CET4976580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:12.873111963 CET8049765101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:12.873122931 CET8049765101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:13.431006908 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:13.487184048 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:14.121741056 CET808049764101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:14.121817112 CET497648080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:14.121916056 CET497648080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:14.145646095 CET497668080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:14.242021084 CET808049764101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:14.265304089 CET808049766101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:14.265494108 CET497668080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:14.284126043 CET497668080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:14.284126043 CET497668080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:14.403817892 CET808049766101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:14.403827906 CET808049766101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:14.444094896 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:14.487251997 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:15.326598883 CET8049765101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:15.326729059 CET4976580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:15.326770067 CET4976580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:15.347647905 CET4976780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:15.446271896 CET8049765101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:15.460448027 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:15.467197895 CET8049767101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:15.467271090 CET4976780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:15.487299919 CET4976780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:15.487299919 CET4976780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:15.502796888 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:15.607043028 CET8049767101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:15.607053995 CET8049767101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:16.474906921 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:16.519248009 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:16.860780954 CET808049766101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:16.860902071 CET497668080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:16.860987902 CET497668080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:16.881819963 CET497688080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:16.980544090 CET808049766101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:17.001425028 CET808049768101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:17.001822948 CET497688080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:17.018551111 CET497688080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:17.018551111 CET497688080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:17.138221979 CET808049768101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:17.138232946 CET808049768101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:17.475301981 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:17.518433094 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:18.059637070 CET8049767101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:18.059715033 CET4976780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:18.059766054 CET4976780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:18.082247019 CET4976980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:18.179994106 CET8049767101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:18.202209949 CET8049769101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:18.202332973 CET4976980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:18.221663952 CET4976980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:18.221664906 CET4976980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:18.341289043 CET8049769101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:18.341382027 CET8049769101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:18.490643978 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:18.534190893 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:19.491297007 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:19.534149885 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:19.594427109 CET808049768101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:19.597301006 CET497688080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:19.602650881 CET497688080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:19.614754915 CET497708080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:19.722313881 CET808049768101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:19.734294891 CET808049770101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:19.737462997 CET497708080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:19.753313065 CET497708080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:19.753328085 CET497708080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:19.872898102 CET808049770101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:19.872914076 CET808049770101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:20.506444931 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:20.549711943 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:20.794987917 CET8049769101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:20.795057058 CET4976980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:20.795120001 CET4976980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:20.817523003 CET4977180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:20.921503067 CET8049769101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:20.943016052 CET8049771101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:20.945456982 CET4977180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:20.956034899 CET4977180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:20.956034899 CET4977180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:21.075617075 CET8049771101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:21.075881958 CET8049771101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:21.522176981 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:21.565321922 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:22.342070103 CET808049770101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:22.345310926 CET497708080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:22.345393896 CET497708080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:22.349081993 CET497728080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:22.465029955 CET808049770101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:22.468703985 CET808049772101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:22.470110893 CET497728080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:22.487373114 CET497728080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:22.487416983 CET497728080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:22.539326906 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:22.581049919 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:22.607326031 CET808049772101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:22.607351065 CET808049772101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:23.531130075 CET8049771101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:23.531379938 CET4977180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:23.531460047 CET4977180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:23.552757025 CET4977380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:23.553318024 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:23.596560001 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:23.650986910 CET8049771101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:23.672313929 CET8049773101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:23.672636986 CET4977380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:23.690557957 CET4977380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:23.690557957 CET4977380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:23.810408115 CET8049773101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:23.810436010 CET8049773101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:24.569201946 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:24.613579988 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:25.073698044 CET808049772101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:25.073772907 CET497728080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:25.073865891 CET497728080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:25.087522984 CET497748080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:25.193521023 CET808049772101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:25.207134008 CET808049774101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:25.207330942 CET497748080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:25.221668959 CET497748080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:25.221802950 CET497748080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:25.341195107 CET808049774101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:25.341320038 CET808049774101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:25.584611893 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:25.627840042 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:26.280754089 CET8049773101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:26.280836105 CET4977380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:26.281002045 CET4977380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:26.288187981 CET4977580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:26.403583050 CET8049773101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:26.412738085 CET8049775101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:26.412796974 CET4977580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:26.424880028 CET4977580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:26.424896002 CET4977580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:26.544496059 CET8049775101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:26.544513941 CET8049775101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:26.600291014 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:26.643445015 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:27.615597963 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:27.674741030 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:27.810894012 CET808049774101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:27.813532114 CET497748080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:27.813596964 CET497748080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:27.817964077 CET497768080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:27.934756994 CET808049774101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:27.938741922 CET808049776101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:27.940423012 CET497768080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:27.956088066 CET497768080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:27.957844973 CET497768080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:28.078217030 CET808049776101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:28.079782963 CET808049776101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:28.631458998 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:28.674719095 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:29.024090052 CET8049775101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:29.025604010 CET4977580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:29.025661945 CET4977580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:29.145438910 CET8049775101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:29.178276062 CET4977780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:29.300040007 CET8049777101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:29.301354885 CET4977780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:29.394898891 CET4977780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:29.394944906 CET4977780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:29.514523029 CET8049777101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:29.514534950 CET8049777101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:29.631850958 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:29.674715996 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:30.536123037 CET808049776101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:30.537332058 CET497768080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:30.537431002 CET497768080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:30.552522898 CET497788080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:30.647536039 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:30.656917095 CET808049776101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:30.672184944 CET808049778101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:30.673371077 CET497788080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:30.690347910 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:30.690685987 CET497788080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:30.693413019 CET497788080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:30.810087919 CET808049778101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:30.813031912 CET808049778101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:31.663008928 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:31.705954075 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:31.907335997 CET8049777101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:31.908730984 CET4977780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:31.908811092 CET4977780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:31.988248110 CET4978080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:32.028501987 CET8049777101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:32.107907057 CET8049780101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:32.108138084 CET4978080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:32.112374067 CET4978080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:32.112394094 CET4978080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:32.232067108 CET8049780101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:32.232078075 CET8049780101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:32.678467989 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:32.721569061 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:33.264904022 CET808049778101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:33.265084028 CET497788080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:33.265163898 CET497788080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:33.285235882 CET497828080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:33.384974003 CET808049778101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:33.404691935 CET808049782101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:33.404753923 CET497828080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:33.424760103 CET497828080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:33.424774885 CET497828080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:33.614306927 CET808049782101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:33.614321947 CET808049782101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:33.693794012 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:33.737435102 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:34.706069946 CET8049780101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:34.707817078 CET4978080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:34.707895994 CET4978080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:34.709592104 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:34.755182028 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:34.827547073 CET8049780101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:35.725002050 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:35.738097906 CET4978880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:35.768440962 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:35.857784033 CET8049788101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:35.857954025 CET4978880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:35.878221989 CET4978880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:35.878221989 CET4978880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:36.237473011 CET4978880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:36.370719910 CET808049782101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:36.370784998 CET497828080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:36.370826006 CET497828080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:36.371063948 CET8049788101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:36.371073008 CET8049788101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:36.371081114 CET8049788101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:36.383398056 CET808049782101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:36.383440971 CET497828080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:36.456988096 CET497898080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:36.490336895 CET808049782101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:36.609671116 CET808049789101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:36.609760046 CET497898080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:36.737497091 CET497898080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:36.737541914 CET497898080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:36.740994930 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:36.784091949 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:36.857009888 CET808049789101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:36.857050896 CET808049789101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:37.756506920 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:37.799736023 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:38.772255898 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:38.815332890 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:38.844888926 CET8049788101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:38.844944000 CET4978880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:38.844994068 CET4978880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:38.863023996 CET4979580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:38.966530085 CET8049788101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:38.983234882 CET8049795101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:38.983303070 CET4979580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:39.003189087 CET4979580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:39.003200054 CET4979580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:39.122895002 CET8049795101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:39.122968912 CET8049795101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:39.200591087 CET808049789101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:39.201314926 CET497898080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:39.201360941 CET497898080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:39.300692081 CET498008080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:39.320965052 CET808049789101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:39.422193050 CET808049800101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:39.422271013 CET498008080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:39.440453053 CET498008080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:39.440494061 CET498008080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:39.560103893 CET808049800101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:39.560123920 CET808049800101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:39.772253990 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:39.816401958 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:40.787767887 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:40.830971003 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:41.575526953 CET8049795101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:41.575709105 CET4979580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:41.575864077 CET4979580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:41.597702026 CET4980680192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:41.695350885 CET8049795101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:41.717535973 CET8049806101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:41.717621088 CET4980680192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:41.737255096 CET4980680192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:41.737270117 CET4980680192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:41.803723097 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:41.846609116 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:41.862292051 CET8049806101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:41.862334013 CET8049806101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:42.014898062 CET808049800101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:42.015357018 CET498008080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:42.015357018 CET498008080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:42.035233021 CET498078080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:42.135133982 CET808049800101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:42.155549049 CET808049807101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:42.155633926 CET498078080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:42.180043936 CET498078080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:42.180242062 CET498078080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:42.299706936 CET808049807101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:42.299767971 CET808049807101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:42.819272041 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:42.862262964 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:43.820173979 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:43.862243891 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:44.310231924 CET8049806101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:44.310323954 CET4980680192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:44.310364962 CET4980680192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:44.331859112 CET4981380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:44.430001974 CET8049806101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:44.451641083 CET8049813101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:44.451709032 CET4981380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:44.471656084 CET4981380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:44.471656084 CET4981380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:44.591391087 CET8049813101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:44.591422081 CET8049813101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:44.748317003 CET808049807101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:44.751358032 CET498078080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:44.751441002 CET498078080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:44.769483089 CET498148080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:44.849977970 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:44.873182058 CET808049807101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:44.892855883 CET808049814101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:44.892946005 CET498148080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:44.893517017 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:44.909151077 CET498148080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:44.909151077 CET498148080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:45.029014111 CET808049814101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:45.029088974 CET808049814101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:45.865878105 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:45.909147978 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:46.865993977 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:46.924727917 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:47.050024986 CET8049813101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:47.053436041 CET4981380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:47.053494930 CET4981380192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:47.066982031 CET4982180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:47.174428940 CET8049813101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:47.187766075 CET8049821101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:47.189352989 CET4982180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:47.348803043 CET4982180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:47.348819971 CET4982180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:47.468498945 CET8049821101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:47.468518972 CET8049821101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:47.481800079 CET808049814101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:47.481872082 CET498148080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:47.481995106 CET498148080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:47.601557016 CET808049814101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:47.881335020 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:47.924906969 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:48.425911903 CET498268080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:48.545531988 CET808049826101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:48.545608044 CET498268080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:48.565546989 CET498268080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:48.565563917 CET498268080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:48.685319901 CET808049826101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:48.685343027 CET808049826101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:48.897042990 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:48.940351009 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:49.777209044 CET8049821101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:49.779452085 CET4982180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:49.779452085 CET4982180192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:49.838510036 CET4982880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:49.899075031 CET8049821101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:49.915301085 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:49.956073999 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:49.958121061 CET8049828101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:49.958215952 CET4982880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:50.001144886 CET4982880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:50.001508951 CET4982880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:50.120832920 CET8049828101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:50.121124983 CET8049828101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:50.928343058 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:50.971620083 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:51.138534069 CET808049826101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:51.139437914 CET498268080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:51.139437914 CET498268080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:51.222620010 CET498338080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:51.259309053 CET808049826101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:51.342235088 CET808049833101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:51.342417002 CET498338080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:51.362406015 CET498338080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:51.362406015 CET498338080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:51.482141018 CET808049833101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:51.482157946 CET808049833101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:51.944006920 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:52.002957106 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:52.543883085 CET8049828101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:52.547432899 CET4982880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:52.574152946 CET4982880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:52.696707010 CET8049828101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:52.787355900 CET4983980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:52.907748938 CET8049839101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:52.907828093 CET4983980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:52.909394026 CET4983980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:52.909413099 CET4983980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:52.959678888 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:53.002851963 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:53.029196978 CET8049839101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:53.029216051 CET8049839101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:53.937709093 CET808049833101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:53.937789917 CET498338080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:53.937855005 CET498338080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:53.956774950 CET498418080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:53.974754095 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:54.018487930 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:54.063615084 CET808049833101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:54.082462072 CET808049841101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:54.082530975 CET498418080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:54.096694946 CET498418080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:54.096708059 CET498418080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:54.219851017 CET808049841101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:54.219897032 CET808049841101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:54.991044044 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:55.034106970 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:55.503947973 CET8049839101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:55.505359888 CET4983980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:55.511986017 CET4983980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:55.598112106 CET4984680192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:55.633407116 CET8049839101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:55.718647957 CET8049846101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:55.718708992 CET4984680192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:55.737339020 CET4984680192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:55.737358093 CET4984680192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:55.857044935 CET8049846101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:55.857126951 CET8049846101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:56.006448984 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:56.049798965 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:56.685214043 CET808049841101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:56.686362982 CET498418080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:56.686400890 CET498418080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:56.691674948 CET498528080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:56.805939913 CET808049841101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:56.811228991 CET808049852101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:56.811301947 CET498528080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:56.831123114 CET498528080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:56.831186056 CET498528080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:56.950788021 CET808049852101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:56.950798035 CET808049852101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:57.021910906 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:57.065371990 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:58.037600994 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:58.080996037 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:58.311505079 CET8049846101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:58.311564922 CET4984680192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:58.311615944 CET4984680192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:58.331841946 CET4985480192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:58.431098938 CET8049846101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:58.451636076 CET8049854101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:58.451699972 CET4985480192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:58.471745014 CET4985480192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:58.471756935 CET4985480192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:58.596502066 CET8049854101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:58.596604109 CET8049854101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:59.054028034 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:59.096633911 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:59.720254898 CET808049852101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:59.720314980 CET498528080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:59.720351934 CET498528080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:59.754175901 CET498598080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:59.844786882 CET808049852101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:59.875689983 CET808049859101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:15:59.875746965 CET498598080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:59.893625975 CET498598080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:15:59.893640995 CET498598080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:00.013986111 CET808049859101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:00.014002085 CET808049859101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:00.068914890 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:00.112255096 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:01.044452906 CET8049854101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:01.044523954 CET4985480192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:01.044583082 CET4985480192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:01.066505909 CET4986580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:01.084800959 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:01.127863884 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:01.164256096 CET8049854101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:01.187975883 CET8049865101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:01.188143969 CET4986580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:01.206890106 CET4986580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:01.206890106 CET4986580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:01.327203035 CET8049865101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:01.327218056 CET8049865101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:02.100672960 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:02.143569946 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:02.467005968 CET808049859101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:02.467081070 CET498598080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:02.467122078 CET498598080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:02.488490105 CET498668080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:02.588185072 CET808049859101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:02.631103039 CET808049866101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:02.631205082 CET498668080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:02.768749952 CET498668080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:02.768750906 CET498668080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:02.895025015 CET808049866101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:02.895041943 CET808049866101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:03.116063118 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:03.174735069 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:03.779685974 CET8049865101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:03.779793978 CET4986580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:03.779793978 CET4986580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:03.800874949 CET4987280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:03.899555922 CET8049865101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:03.920520067 CET8049872101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:03.920656919 CET4987280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:03.940541983 CET4987280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:03.940541983 CET4987280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:04.060165882 CET8049872101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:04.060174942 CET8049872101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:04.131865025 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:04.174750090 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:05.146785975 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:05.190377951 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:05.216181993 CET808049866101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:05.216300964 CET498668080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:05.216352940 CET498668080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:05.222508907 CET498748080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:05.335890055 CET808049866101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:05.342056990 CET808049874101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:05.342303991 CET498748080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:05.362353086 CET498748080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:05.362365961 CET498748080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:05.481878996 CET808049874101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:05.481895924 CET808049874101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:06.162611961 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:06.206016064 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:06.514812946 CET8049872101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:06.514890909 CET4987280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:06.515085936 CET4987280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:06.535119057 CET4987980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:06.634547949 CET8049872101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:06.670913935 CET8049879101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:06.671200991 CET4987980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:06.675105095 CET4987980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:06.675117970 CET4987980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:06.798721075 CET8049879101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:06.798738956 CET8049879101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:07.178308964 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:07.221642971 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:07.935376883 CET808049874101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:07.935461998 CET498748080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:07.935518026 CET498748080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:07.957210064 CET498858080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:08.057575941 CET808049874101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:08.079710960 CET808049885101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:08.080074072 CET498858080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:08.096771955 CET498858080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:08.096785069 CET498858080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:08.194220066 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:08.216675043 CET808049885101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:08.216706991 CET808049885101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:08.237299919 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:09.209382057 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:09.252887011 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:09.282390118 CET8049879101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:09.282468081 CET4987980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:09.282504082 CET4987980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:09.378817081 CET4988780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:09.402075052 CET8049879101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:09.498596907 CET8049887101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:09.498673916 CET4988780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:09.518974066 CET4988780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:09.518999100 CET4988780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:09.642301083 CET8049887101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:09.642339945 CET8049887101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:10.225579977 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:10.268518925 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:10.685534000 CET808049885101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:10.687360048 CET498858080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:10.687953949 CET498858080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:10.696439981 CET498928080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:10.808173895 CET808049885101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:10.817630053 CET808049892101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:10.819365978 CET498928080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:10.831130028 CET498928080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:10.831166029 CET498928080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:10.953564882 CET808049892101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:10.953597069 CET808049892101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:11.240989923 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:11.284143925 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:12.106597900 CET8049887101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:12.106676102 CET4988780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:12.106712103 CET4988780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:12.113193035 CET4989880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:12.227454901 CET8049887101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:12.233768940 CET8049898101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:12.233845949 CET4989880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:12.252991915 CET4989880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:12.253034115 CET4989880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:12.256731033 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:12.299766064 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:12.379410028 CET8049898101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:12.379443884 CET8049898101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:13.272303104 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:13.315402985 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:13.433948040 CET808049892101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:13.434046984 CET498928080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:13.435348988 CET498928080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:13.558563948 CET808049892101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:13.586280107 CET498998080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:13.706737041 CET808049899101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:13.706840038 CET498998080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:13.721782923 CET498998080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:13.721956968 CET498998080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:13.841607094 CET808049899101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:13.841775894 CET808049899101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:14.287396908 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:14.331012011 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:14.829680920 CET8049898101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:14.829746008 CET4989880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:14.829809904 CET4989880192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:14.847989082 CET4990580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:14.949440002 CET8049898101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:14.967962980 CET8049905101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:14.968055010 CET4990580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:14.987363100 CET4990580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:14.987413883 CET4990580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:15.114039898 CET8049905101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:15.114074945 CET8049905101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:15.340719938 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:15.393507957 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:16.296793938 CET808049899101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:16.296961069 CET498998080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:16.297012091 CET498998080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:16.320326090 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:16.362277031 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:16.379281044 CET499118080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:16.416594982 CET808049899101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:16.501610041 CET808049911101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:16.501703024 CET499118080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:16.518606901 CET499118080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:16.519340992 CET499118080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:16.642328024 CET808049911101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:16.642991066 CET808049911101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:17.351082087 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:17.393528938 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:17.579515934 CET8049905101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:17.579621077 CET4990580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:17.579694033 CET4990580192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:17.582051039 CET4991280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:17.699407101 CET8049905101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:17.701630116 CET8049912101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:17.701736927 CET4991280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:17.721698046 CET4991280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:17.723618984 CET4991280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:17.842396021 CET8049912101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:17.844108105 CET8049912101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:18.366714001 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:18.424765110 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:19.113647938 CET808049911101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:19.113728046 CET499118080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:19.113811016 CET499118080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:19.222660065 CET499188080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:19.233716965 CET808049911101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:19.342653990 CET808049918101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:19.342720985 CET499188080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:19.362493038 CET499188080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:19.362509966 CET499188080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:19.397140026 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:19.440402985 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:19.482055902 CET808049918101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:19.482129097 CET808049918101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:20.296376944 CET8049912101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:20.298398972 CET4991280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:20.304487944 CET4991280192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:20.319355965 CET4992080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:20.397692919 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:20.423993111 CET8049912101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:20.439162016 CET8049920101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:20.439238071 CET4992080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:20.443336964 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:20.456130981 CET4992080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:20.456166029 CET4992080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:20.575764894 CET8049920101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:20.575788975 CET8049920101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:21.412565947 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:21.456207037 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:21.969253063 CET808049918101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:21.969329119 CET499188080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:21.969543934 CET499188080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:22.067831039 CET499258080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:22.089217901 CET808049918101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:22.187571049 CET808049925101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:22.187813997 CET499258080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:22.206127882 CET499258080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:22.206262112 CET499258080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:22.325877905 CET808049925101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:22.325895071 CET808049925101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:22.428117037 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:22.475327015 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:23.473956108 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:23.518533945 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:24.459765911 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:24.502906084 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:24.812618017 CET808049925101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:24.812716961 CET499258080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:24.812774897 CET499258080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:24.909902096 CET499348080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:24.932796955 CET808049925101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:25.029957056 CET808049934101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:25.030047894 CET499348080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:25.050029039 CET499348080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:25.050040960 CET499348080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:25.174546957 CET808049934101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:25.174606085 CET808049934101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:25.475431919 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:25.518579960 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:26.490833044 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:26.534209967 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:27.506443024 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:27.549849033 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:27.646388054 CET808049934101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:27.646486998 CET499348080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:27.646647930 CET499348080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:27.753787041 CET499418080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:27.766318083 CET808049934101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:27.873408079 CET808049941101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:27.873570919 CET499418080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:27.893620014 CET499418080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:27.893620014 CET499418080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:28.015486956 CET808049941101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:28.015505075 CET808049941101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:28.522239923 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:28.565424919 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:29.537472963 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:29.581157923 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:30.528481960 CET808049941101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:30.528642893 CET499418080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:30.528814077 CET499418080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:30.553248882 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:30.596672058 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:30.598383904 CET499478080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:30.648372889 CET808049941101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:30.718432903 CET808049947101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:30.718506098 CET499478080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:30.737634897 CET499478080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:30.737684011 CET499478080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:30.862555981 CET808049947101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:30.862603903 CET808049947101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:31.571211100 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:31.612380028 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:32.584562063 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:32.628005981 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:33.341546059 CET808049947101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:33.341641903 CET499478080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:33.341641903 CET499478080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:33.445641041 CET499558080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:33.462726116 CET808049947101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:33.570487022 CET808049955101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:33.573527098 CET499558080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:33.594904900 CET499558080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:33.594904900 CET499558080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:33.600555897 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:33.643559933 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:33.716099977 CET808049955101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:33.716120005 CET808049955101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:34.617156982 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:34.659229040 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:34.802917004 CET8049920101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:34.803009987 CET4992080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:34.803066969 CET4992080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:34.863401890 CET4995980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:34.922743082 CET8049920101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:34.983124971 CET8049959101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:34.983191967 CET4995980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:35.003022909 CET4995980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:35.003119946 CET4995980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:35.123790026 CET8049959101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:35.123827934 CET8049959101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:35.631339073 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:35.674817085 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:36.560404062 CET808049955101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:36.560596943 CET808049955101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:36.560796976 CET499558080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:36.617728949 CET499558080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:36.647366047 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:36.690427065 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:36.698626995 CET499648080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:36.739130974 CET808049955101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:36.820581913 CET808049964101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:36.821719885 CET499648080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:36.832876921 CET499648080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:36.832878113 CET499648080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:36.953737974 CET808049964101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:36.953793049 CET808049964101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:37.582288980 CET8049959101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:37.582364082 CET4995980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:37.582422018 CET4995980192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:37.597928047 CET4996780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:37.662849903 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:37.706058979 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:37.708726883 CET8049959101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:37.724416018 CET8049967101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:37.725240946 CET4996780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:37.737422943 CET4996780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:37.737442017 CET4996780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:37.858169079 CET8049967101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:37.858200073 CET8049967101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:38.678354025 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:38.737310886 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:39.427172899 CET808049964101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:39.427242994 CET499648080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:39.694668055 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:39.737293959 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:40.312211990 CET8049967101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:40.312274933 CET4996780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:40.493418932 CET4996780192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:40.493624926 CET499648080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:40.550611019 CET4997680192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:40.566227913 CET499778080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:40.613471985 CET8049967101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:40.613543034 CET808049964101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:40.671217918 CET8049976101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:40.671355009 CET4997680192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:40.686021090 CET808049977101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:40.686100006 CET499778080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:40.690732002 CET4997680192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:40.690732002 CET4997680192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:40.706233025 CET499778080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:40.706233025 CET499778080192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:40.709610939 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:40.752942085 CET497465651192.168.2.4101.99.91.150
                                                                                Dec 25, 2024 17:16:40.810753107 CET8049976101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:40.810937881 CET8049976101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:40.826646090 CET808049977101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:40.826698065 CET808049977101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:41.729816914 CET565149746101.99.91.150192.168.2.4
                                                                                Dec 25, 2024 17:16:41.784177065 CET497465651192.168.2.4101.99.91.150

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 25, 2024 17:14:45.749666929 CET6423053192.168.2.41.1.1.1

                                                                                ICMP Packets

                                                                                TimestampSource IPDest IPChecksumCodeType
                                                                                Dec 25, 2024 17:14:35.974242926 CET192.168.2.48.8.8.84d5aEcho
                                                                                Dec 25, 2024 17:14:36.097138882 CET8.8.8.8192.168.2.4555aEcho Reply
                                                                                Dec 25, 2024 17:14:37.088776112 CET192.168.2.48.8.8.84d59Echo
                                                                                Dec 25, 2024 17:14:37.211051941 CET8.8.8.8192.168.2.45559Echo Reply
                                                                                Dec 25, 2024 17:14:38.216187954 CET192.168.2.48.8.8.84d58Echo
                                                                                Dec 25, 2024 17:14:38.342116117 CET8.8.8.8192.168.2.45558Echo Reply
                                                                                Dec 25, 2024 17:14:40.126086950 CET192.168.2.48.8.8.84d57Echo
                                                                                Dec 25, 2024 17:14:40.248972893 CET8.8.8.8192.168.2.45557Echo Reply

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Dec 25, 2024 17:14:45.749666929 CET192.168.2.41.1.1.10x8de2Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Dec 25, 2024 17:14:46.061147928 CET1.1.1.1192.168.2.40x8de2No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                Dec 25, 2024 17:14:56.597717047 CET1.1.1.1192.168.2.40x6814No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                Dec 25, 2024 17:14:56.597717047 CET1.1.1.1192.168.2.40x6814No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                Dec 25, 2024 17:14:56.597717047 CET1.1.1.1192.168.2.40x6814No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                Dec 25, 2024 17:14:56.597717047 CET1.1.1.1192.168.2.40x6814No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                Dec 25, 2024 17:14:56.597717047 CET1.1.1.1192.168.2.40x6814No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.449747101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:14:52.001658916 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:14:52.001738071 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.449752101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:14:55.209120035 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:14:55.209196091 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                2192.168.2.449755101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:14:58.159271955 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:14:58.159271955 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                3192.168.2.449758101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:00.831003904 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:00.831135988 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                4192.168.2.449759101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:04.378006935 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:04.378225088 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                5192.168.2.449761101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:07.175193071 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:07.175271034 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                6192.168.2.449763101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:09.909116030 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:09.909116030 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                7192.168.2.449765101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:12.753336906 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:12.753405094 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                8192.168.2.449767101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:15.487299919 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:15.487299919 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                9192.168.2.449769101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:18.221663952 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:18.221664906 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                10192.168.2.449771101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:20.956034899 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:20.956034899 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                11192.168.2.449773101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:23.690557957 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:23.690557957 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                12192.168.2.449775101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:26.424880028 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:26.424896002 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                13192.168.2.449777101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:29.394898891 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:29.394944906 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                14192.168.2.449780101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:32.112374067 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:32.112394094 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                15192.168.2.449788101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:35.878221989 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:35.878221989 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:36.237473011 CET8OUTData Raw: 00 00 00 01 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                16192.168.2.449795101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:39.003189087 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:39.003200054 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                17192.168.2.449806101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:41.737255096 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:41.737270117 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                18192.168.2.449813101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:44.471656084 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:44.471656084 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                19192.168.2.449821101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:47.348803043 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:47.348819971 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                20192.168.2.449828101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:50.001144886 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:50.001508951 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                21192.168.2.449839101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:52.909394026 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:52.909413099 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                22192.168.2.449846101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:55.737339020 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:55.737358093 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                23192.168.2.449854101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:15:58.471745014 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:15:58.471756935 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                24192.168.2.449865101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:16:01.206890106 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:16:01.206890106 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                25192.168.2.449872101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:16:03.940541983 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:16:03.940541983 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                26192.168.2.449879101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:16:06.675105095 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:16:06.675117970 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                27192.168.2.449887101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:16:09.518974066 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:16:09.518999100 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                28192.168.2.449898101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:16:12.252991915 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:16:12.253034115 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                29192.168.2.449905101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:16:14.987363100 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:16:14.987413883 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                30192.168.2.449912101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:16:17.721698046 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:16:17.723618984 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                31192.168.2.449920101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:16:20.456130981 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:16:20.456166029 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                32192.168.2.449959101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:16:35.003022909 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:16:35.003119946 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                33192.168.2.449967101.99.91.150808532C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:16:37.737422943 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:16:37.737442017 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                34192.168.2.449976101.99.91.15080
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 25, 2024 17:16:40.690732002 CET6OUTData Raw: 00 00 00 01
                                                                                Data Ascii:
                                                                                Dec 25, 2024 17:16:40.690732002 CET6OUTData Raw: 00 00 00 03
                                                                                Data Ascii:


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:11:14:32
                                                                                Start date:25/12/2024
                                                                                Path:C:\Users\user\Desktop\0442.pdf.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Users\user\Desktop\0442.pdf.exe"
                                                                                Imagebase:0x7ff600fc0000
                                                                                File size:11'409'543 bytes
                                                                                MD5 hash:4F6B2B9EE57C50D6C505D0CDADA4803E
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:1
                                                                                Start time:11:14:33
                                                                                Start date:25/12/2024
                                                                                Path:C:\Windows\System32\msiexec.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qn
                                                                                Imagebase:0x7ff607150000
                                                                                File size:69'632 bytes
                                                                                MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:2
                                                                                Start time:11:14:33
                                                                                Start date:25/12/2024
                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "
                                                                                Imagebase:0x7ff750960000
                                                                                File size:289'792 bytes
                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:3
                                                                                Start time:11:14:33
                                                                                Start date:25/12/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:4
                                                                                Start time:11:14:33
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf"
                                                                                Imagebase:0x7ff6bc1b0000
                                                                                File size:5'641'176 bytes
                                                                                MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:5
                                                                                Start time:11:14:33
                                                                                Start date:25/12/2024
                                                                                Path:C:\Windows\System32\msiexec.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                Imagebase:0x7ff607150000
                                                                                File size:69'632 bytes
                                                                                MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:6
                                                                                Start time:11:14:34
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf"
                                                                                Imagebase:0x7ff6bc1b0000
                                                                                File size:5'641'176 bytes
                                                                                MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:7
                                                                                Start time:11:14:34
                                                                                Start date:25/12/2024
                                                                                Path:C:\Windows\System32\PING.EXE
                                                                                Wow64 process (32bit):false
                                                                                Commandline:ping 8.8.8.8
                                                                                Imagebase:0x7ff6b9bd0000
                                                                                File size:22'528 bytes
                                                                                MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:8
                                                                                Start time:11:14:36
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                                Imagebase:0x7ff74bb60000
                                                                                File size:3'581'912 bytes
                                                                                MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:9
                                                                                Start time:11:14:36
                                                                                Start date:25/12/2024
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                Imagebase:0x7ff6eef20000
                                                                                File size:55'320 bytes
                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:10
                                                                                Start time:11:14:36
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1540,i,18215150213972139035,17261459285525738276,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                                Imagebase:0x7ff74bb60000
                                                                                File size:3'581'912 bytes
                                                                                MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:12
                                                                                Start time:11:14:44
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall
                                                                                Imagebase:0x400000
                                                                                File size:6'307'408 bytes
                                                                                MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:Borland Delphi
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000C.00000000.1785110285.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
                                                                                Antivirus matches:
                                                                                • Detection: 3%, ReversingLabs
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:13
                                                                                Start time:11:14:44
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
                                                                                Imagebase:0x400000
                                                                                File size:7'753'808 bytes
                                                                                MD5 hash:F3D74B072B9697CF64B0B8445FDC8128
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:Borland Delphi
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000D.00000000.1792887318.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
                                                                                Antivirus matches:
                                                                                • Detection: 8%, ReversingLabs
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:14
                                                                                Start time:11:14:46
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall
                                                                                Imagebase:0x400000
                                                                                File size:6'307'408 bytes
                                                                                MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:Borland Delphi
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:15
                                                                                Start time:11:14:46
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
                                                                                Imagebase:0x400000
                                                                                File size:7'753'808 bytes
                                                                                MD5 hash:F3D74B072B9697CF64B0B8445FDC8128
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:Borland Delphi
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:16
                                                                                Start time:11:14:47
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start
                                                                                Imagebase:0x400000
                                                                                File size:6'307'408 bytes
                                                                                MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:Borland Delphi
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:17
                                                                                Start time:11:14:47
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
                                                                                Imagebase:0x400000
                                                                                File size:7'753'808 bytes
                                                                                MD5 hash:F3D74B072B9697CF64B0B8445FDC8128
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:Borland Delphi
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:18
                                                                                Start time:11:14:48
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe"
                                                                                Imagebase:0x400000
                                                                                File size:7'753'808 bytes
                                                                                MD5 hash:F3D74B072B9697CF64B0B8445FDC8128
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:Borland Delphi
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:20
                                                                                Start time:11:14:50
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
                                                                                Imagebase:0x400000
                                                                                File size:6'307'408 bytes
                                                                                MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:Borland Delphi
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:21
                                                                                Start time:11:14:50
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                                Imagebase:0x400000
                                                                                File size:6'307'408 bytes
                                                                                MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:Borland Delphi
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:22
                                                                                Start time:11:14:50
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                                Imagebase:0x400000
                                                                                File size:6'307'408 bytes
                                                                                MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:Borland Delphi
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:23
                                                                                Start time:11:14:51
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                                Imagebase:0x400000
                                                                                File size:6'307'408 bytes
                                                                                MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:Borland Delphi
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:24
                                                                                Start time:11:14:52
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                                Imagebase:0x400000
                                                                                File size:6'307'408 bytes
                                                                                MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:Borland Delphi
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:25
                                                                                Start time:11:14:53
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                                Imagebase:0x400000
                                                                                File size:6'307'408 bytes
                                                                                MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:Borland Delphi
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:26
                                                                                Start time:11:14:54
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                                Imagebase:0x400000
                                                                                File size:6'307'408 bytes
                                                                                MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:Borland Delphi
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:29
                                                                                Start time:11:15:02
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                                Imagebase:0x400000
                                                                                File size:6'307'408 bytes
                                                                                MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:Borland Delphi
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:30
                                                                                Start time:11:15:34
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                                Imagebase:0x400000
                                                                                File size:6'307'408 bytes
                                                                                MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:Borland Delphi
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:31
                                                                                Start time:11:15:47
                                                                                Start date:25/12/2024
                                                                                Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                                Imagebase:0x400000
                                                                                File size:6'307'408 bytes
                                                                                MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:Borland Delphi
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:12.2%
                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                  Signature Coverage:26.2%
                                                                                  Total number of Nodes:2000
                                                                                  Total number of Limit Nodes:28
                                                                                  execution_graph 28350 7ff600ffd94c 28351 7ff600ffd997 28350->28351 28355 7ff600ffd95b abort 28350->28355 28357 7ff600ffd69c 15 API calls abort 28351->28357 28352 7ff600ffd97e HeapAlloc 28354 7ff600ffd995 28352->28354 28352->28355 28355->28351 28355->28352 28356 7ff600ffbbc0 abort 2 API calls 28355->28356 28356->28355 28357->28354 28359 7ff600ff154b 28360 7ff600ff14a2 28359->28360 28361 7ff600ff1900 _com_raise_error 14 API calls 28360->28361 28362 7ff600ff14e1 28361->28362 28404 7ff600ff0df5 14 API calls _com_raise_error 28405 7ff600ff2d6c 28430 7ff600ff27fc 28405->28430 28408 7ff600ff2eb8 28528 7ff600ff3170 7 API calls 2 library calls 28408->28528 28409 7ff600ff2d88 __scrt_acquire_startup_lock 28411 7ff600ff2ec2 28409->28411 28413 7ff600ff2da6 28409->28413 28529 7ff600ff3170 7 API calls 2 library calls 28411->28529 28414 7ff600ff2dcb 28413->28414 28418 7ff600ff2de8 __scrt_release_startup_lock 28413->28418 28438 7ff600ffcd90 28413->28438 28416 7ff600ff2ecd abort 28417 7ff600ff2e51 28442 7ff600ff32bc 28417->28442 28418->28417 28525 7ff600ffc050 35 API calls __GSHandlerCheck_EH 28418->28525 28420 7ff600ff2e56 28445 7ff600ffcd20 28420->28445 28530 7ff600ff2fb0 28430->28530 28433 7ff600ff282b 28532 7ff600ffcc50 28433->28532 28437 7ff600ff2827 28437->28408 28437->28409 28439 7ff600ffcdcc 28438->28439 28440 7ff600ffcdeb 28438->28440 28439->28440 28549 7ff600fc1120 28439->28549 28440->28418 28443 7ff600ff3cf0 __scrt_get_show_window_mode 28442->28443 28444 7ff600ff32d3 GetStartupInfoW 28443->28444 28444->28420 28555 7ff601000730 28445->28555 28447 7ff600ffcd2f 28449 7ff600ff2e5e 28447->28449 28559 7ff601000ac0 35 API calls _snwprintf 28447->28559 28450 7ff600ff0754 28449->28450 28561 7ff600fddfd0 28450->28561 28453 7ff600fd62dc 35 API calls 28454 7ff600ff079a 28453->28454 28638 7ff600fe946c 28454->28638 28456 7ff600ff07a4 __scrt_get_show_window_mode 28643 7ff600fe9a14 28456->28643 28458 7ff600ff0ddc 28460 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 28458->28460 28459 7ff600ff0819 28459->28458 28461 7ff600ff096e GetCommandLineW 28459->28461 28462 7ff600ff0de2 28460->28462 28463 7ff600ff0980 28461->28463 28464 7ff600ff0b42 28461->28464 28466 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 28462->28466 28468 7ff600fc129c 33 API calls 28463->28468 28465 7ff600fd6454 34 API calls 28464->28465 28467 7ff600ff0b51 28465->28467 28478 7ff600ff0de8 28466->28478 28471 7ff600fc1fa0 31 API calls 28467->28471 28475 7ff600ff0b68 BuildCatchObjectHelperInternal 28467->28475 28470 7ff600ff09a5 28468->28470 28469 7ff600fc1fa0 31 API calls 28472 7ff600ff0b93 SetEnvironmentVariableW GetLocalTime 28469->28472 28653 7ff600fecad0 28470->28653 28471->28475 28476 7ff600fd3e28 swprintf 46 API calls 28472->28476 28474 7ff600ff1900 _com_raise_error 14 API calls 28474->28478 28475->28469 28479 7ff600ff0c18 SetEnvironmentVariableW GetModuleHandleW LoadIconW 28476->28479 28477 7ff600ff09af 28477->28462 28481 7ff600ff0adb 28477->28481 28482 7ff600ff09f9 OpenFileMappingW 28477->28482 28478->28474 28684 7ff600feb014 LoadBitmapW 28479->28684 28488 7ff600fc129c 33 API calls 28481->28488 28484 7ff600ff0ad0 CloseHandle 28482->28484 28485 7ff600ff0a19 MapViewOfFile 28482->28485 28484->28464 28485->28484 28486 7ff600ff0a3f UnmapViewOfFile MapViewOfFile 28485->28486 28486->28484 28489 7ff600ff0a71 28486->28489 28491 7ff600ff0b00 28488->28491 28715 7ff600fea190 33 API calls 2 library calls 28489->28715 28490 7ff600ff0c75 28708 7ff600fe67b4 28490->28708 28671 7ff600fefd0c 28491->28671 28495 7ff600ff0a81 28498 7ff600fefd0c 35 API calls 28495->28498 28500 7ff600ff0a90 28498->28500 28499 7ff600fe67b4 33 API calls 28501 7ff600ff0c87 DialogBoxParamW 28499->28501 28716 7ff600fdb9b4 102 API calls 28500->28716 28507 7ff600ff0cd3 28501->28507 28503 7ff600ff0dd7 28506 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 28503->28506 28504 7ff600ff0aa5 28717 7ff600fdbb00 102 API calls 28504->28717 28506->28458 28509 7ff600ff0cec 28507->28509 28510 7ff600ff0ce6 Sleep 28507->28510 28508 7ff600ff0ab8 28512 7ff600ff0ac7 UnmapViewOfFile 28508->28512 28511 7ff600ff0cfa 28509->28511 28718 7ff600fe9f4c 49 API calls 2 library calls 28509->28718 28510->28509 28514 7ff600ff0d06 DeleteObject 28511->28514 28512->28484 28515 7ff600ff0d25 28514->28515 28516 7ff600ff0d1f DeleteObject 28514->28516 28517 7ff600ff0d6d 28515->28517 28518 7ff600ff0d5b 28515->28518 28516->28515 28711 7ff600fe94e4 28517->28711 28719 7ff600fefe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 28518->28719 28520 7ff600ff0d60 CloseHandle 28520->28517 28525->28417 28528->28411 28529->28416 28531 7ff600ff281e __scrt_dllmain_crt_thread_attach 28530->28531 28531->28433 28531->28437 28533 7ff601000d4c 28532->28533 28534 7ff600ff2830 28533->28534 28537 7ff600ffec00 28533->28537 28534->28437 28536 7ff600ff51a0 7 API calls 2 library calls 28534->28536 28536->28437 28548 7ff600fff398 EnterCriticalSection 28537->28548 28550 7ff600fc91c8 35 API calls 28549->28550 28551 7ff600fc1130 28550->28551 28554 7ff600ff29bc 34 API calls 28551->28554 28553 7ff600ff2a01 28553->28439 28554->28553 28556 7ff60100073d 28555->28556 28558 7ff601000749 28555->28558 28560 7ff601000570 48 API calls 5 library calls 28556->28560 28558->28447 28559->28447 28560->28558 28720 7ff600ff2450 28561->28720 28564 7ff600fde07b 28566 7ff600fde503 28564->28566 28727 7ff600ffb788 39 API calls _snwprintf 28564->28727 28565 7ff600fde026 GetProcAddress 28567 7ff600fde053 GetProcAddress 28565->28567 28568 7ff600fde03b 28565->28568 28570 7ff600fd6454 34 API calls 28566->28570 28567->28564 28571 7ff600fde068 28567->28571 28568->28567 28573 7ff600fde50c 28570->28573 28571->28564 28572 7ff600fde3b0 28572->28566 28574 7ff600fde3ba 28572->28574 28575 7ff600fd7df4 47 API calls 28573->28575 28576 7ff600fd6454 34 API calls 28574->28576 28587 7ff600fde51a 28575->28587 28577 7ff600fde3c3 CreateFileW 28576->28577 28579 7ff600fde403 SetFilePointer 28577->28579 28580 7ff600fde4f0 CloseHandle 28577->28580 28579->28580 28581 7ff600fde41c ReadFile 28579->28581 28582 7ff600fc1fa0 31 API calls 28580->28582 28581->28580 28583 7ff600fde444 28581->28583 28582->28566 28584 7ff600fde800 28583->28584 28585 7ff600fde458 28583->28585 28739 7ff600ff2624 8 API calls 28584->28739 28591 7ff600fc129c 33 API calls 28585->28591 28589 7ff600fde53e CompareStringW 28587->28589 28590 7ff600fc129c 33 API calls 28587->28590 28592 7ff600fd8090 47 API calls 28587->28592 28595 7ff600fc1fa0 31 API calls 28587->28595 28598 7ff600fd32bc 51 API calls 28587->28598 28621 7ff600fde5cc 28587->28621 28722 7ff600fd51a4 28587->28722 28588 7ff600fde805 28589->28587 28590->28587 28593 7ff600fde48f 28591->28593 28592->28587 28599 7ff600fde4db 28593->28599 28728 7ff600fdd0a0 28593->28728 28595->28587 28596 7ff600fde7c2 28601 7ff600fc1fa0 31 API calls 28596->28601 28597 7ff600fde648 28732 7ff600fd7eb0 47 API calls 28597->28732 28598->28587 28602 7ff600fc1fa0 31 API calls 28599->28602 28604 7ff600fde7cb 28601->28604 28605 7ff600fde4e5 28602->28605 28603 7ff600fde651 28606 7ff600fd51a4 9 API calls 28603->28606 28608 7ff600fc1fa0 31 API calls 28604->28608 28609 7ff600fc1fa0 31 API calls 28605->28609 28610 7ff600fde656 28606->28610 28607 7ff600fc129c 33 API calls 28607->28621 28611 7ff600fde7d5 28608->28611 28609->28580 28612 7ff600fde706 28610->28612 28622 7ff600fde661 28610->28622 28614 7ff600ff2320 _handle_error 8 API calls 28611->28614 28615 7ff600fdda98 48 API calls 28612->28615 28613 7ff600fd8090 47 API calls 28613->28621 28616 7ff600fde7e4 28614->28616 28617 7ff600fde74b AllocConsole 28615->28617 28616->28453 28619 7ff600fde755 GetCurrentProcessId AttachConsole 28617->28619 28620 7ff600fde6fb 28617->28620 28618 7ff600fc1fa0 31 API calls 28618->28621 28623 7ff600fde76c 28619->28623 28626 7ff600fc19e0 std::locale::global 31 API calls 28620->28626 28621->28607 28621->28613 28621->28618 28624 7ff600fd32bc 51 API calls 28621->28624 28628 7ff600fde63a 28621->28628 28625 7ff600fdaae0 48 API calls 28622->28625 28631 7ff600fde778 GetStdHandle WriteConsoleW Sleep FreeConsole 28623->28631 28624->28621 28627 7ff600fde6a5 28625->28627 28629 7ff600fde7b9 ExitProcess 28626->28629 28630 7ff600fdda98 48 API calls 28627->28630 28628->28596 28628->28597 28632 7ff600fde6c3 28630->28632 28631->28620 28633 7ff600fdaae0 48 API calls 28632->28633 28634 7ff600fde6ce 28633->28634 28733 7ff600fddc2c 33 API calls 28634->28733 28636 7ff600fde6da 28734 7ff600fc19e0 28636->28734 28639 7ff600fddd88 28638->28639 28640 7ff600fe9481 OleInitialize 28639->28640 28641 7ff600fe94a7 28640->28641 28642 7ff600fe94cd SHGetMalloc 28641->28642 28642->28456 28644 7ff600fe9a49 28643->28644 28646 7ff600fe9a4e BuildCatchObjectHelperInternal 28643->28646 28645 7ff600fc1fa0 31 API calls 28644->28645 28645->28646 28647 7ff600fc1fa0 31 API calls 28646->28647 28648 7ff600fe9a7d BuildCatchObjectHelperInternal 28646->28648 28647->28648 28649 7ff600fc1fa0 31 API calls 28648->28649 28652 7ff600fe9aac BuildCatchObjectHelperInternal 28648->28652 28649->28652 28650 7ff600fc1fa0 31 API calls 28651 7ff600fe9adb BuildCatchObjectHelperInternal 28650->28651 28651->28459 28651->28651 28652->28650 28652->28651 28654 7ff600fdd0a0 33 API calls 28653->28654 28670 7ff600fecb1f BuildCatchObjectHelperInternal 28654->28670 28655 7ff600fecd8b 28656 7ff600fecdbe 28655->28656 28659 7ff600fecde4 28655->28659 28657 7ff600ff2320 _handle_error 8 API calls 28656->28657 28660 7ff600fecdcf 28657->28660 28658 7ff600fdd0a0 33 API calls 28658->28670 28661 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 28659->28661 28660->28477 28662 7ff600fecde9 28661->28662 28741 7ff600fc704c 47 API calls BuildCatchObjectHelperInternal 28662->28741 28663 7ff600fecdef 28742 7ff600fc704c 47 API calls BuildCatchObjectHelperInternal 28663->28742 28666 7ff600fecdf5 28668 7ff600fc1fa0 31 API calls 28668->28670 28669 7ff600fc129c 33 API calls 28669->28670 28670->28655 28670->28658 28670->28659 28670->28662 28670->28663 28670->28668 28670->28669 28740 7ff600fdbb00 102 API calls 28670->28740 28672 7ff600fefd3c SetEnvironmentVariableW 28671->28672 28673 7ff600fefd39 28671->28673 28674 7ff600fdd0a0 33 API calls 28672->28674 28673->28672 28675 7ff600fefd74 28674->28675 28676 7ff600fefdc3 28675->28676 28683 7ff600fefdad SetEnvironmentVariableW 28675->28683 28679 7ff600fefe1b 28676->28679 28680 7ff600fefdfa 28676->28680 28677 7ff600ff2320 _handle_error 8 API calls 28678 7ff600fefe0b 28677->28678 28678->28464 28678->28503 28681 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 28679->28681 28680->28677 28682 7ff600fefe20 28681->28682 28683->28676 28685 7ff600feb03e 28684->28685 28688 7ff600feb046 28684->28688 28743 7ff600fe8624 FindResourceW 28685->28743 28687 7ff600feb04e GetObjectW 28689 7ff600feb063 28687->28689 28688->28687 28688->28689 28690 7ff600fe849c 4 API calls 28689->28690 28691 7ff600feb078 28690->28691 28692 7ff600feb0ce 28691->28692 28693 7ff600feb09e 28691->28693 28695 7ff600fe8624 11 API calls 28691->28695 28703 7ff600fd98ac 28692->28703 28758 7ff600fe8504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28693->28758 28696 7ff600feb08a 28695->28696 28696->28693 28698 7ff600feb092 DeleteObject 28696->28698 28697 7ff600feb0a7 28699 7ff600fe84cc 4 API calls 28697->28699 28698->28693 28700 7ff600feb0b2 28699->28700 28759 7ff600fe8df4 16 API calls _handle_error 28700->28759 28702 7ff600feb0bf DeleteObject 28702->28692 28760 7ff600fd98dc 28703->28760 28705 7ff600fd98ba 28827 7ff600fda43c GetModuleHandleW FindResourceW 28705->28827 28707 7ff600fd98c2 28707->28490 28709 7ff600ff21d0 33 API calls 28708->28709 28710 7ff600fe67fa 28709->28710 28710->28499 28712 7ff600fe9501 28711->28712 28713 7ff600fe950a OleUninitialize 28712->28713 28714 7ff60102e330 28713->28714 28715->28495 28716->28504 28717->28508 28718->28511 28719->28520 28721 7ff600fddff4 GetModuleHandleW 28720->28721 28721->28564 28721->28565 28723 7ff600fd51c8 GetVersionExW 28722->28723 28724 7ff600fd51fb 28722->28724 28723->28724 28725 7ff600ff2320 _handle_error 8 API calls 28724->28725 28726 7ff600fd5228 28725->28726 28726->28587 28727->28572 28729 7ff600fdd0d2 28728->28729 28730 7ff600fdd106 28729->28730 28731 7ff600fc1744 33 API calls 28729->28731 28730->28593 28731->28729 28732->28603 28733->28636 28736 7ff600fc1fa0 28734->28736 28735 7ff600fc1fdc 28735->28620 28736->28735 28737 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 28736->28737 28738 7ff600fc2000 28737->28738 28739->28588 28740->28670 28741->28663 28742->28666 28744 7ff600fe879b 28743->28744 28745 7ff600fe864f SizeofResource 28743->28745 28744->28688 28745->28744 28746 7ff600fe8669 LoadResource 28745->28746 28746->28744 28747 7ff600fe8682 LockResource 28746->28747 28747->28744 28748 7ff600fe8697 GlobalAlloc 28747->28748 28748->28744 28749 7ff600fe86b8 GlobalLock 28748->28749 28750 7ff600fe8792 GlobalFree 28749->28750 28751 7ff600fe86ca BuildCatchObjectHelperInternal 28749->28751 28750->28744 28752 7ff600fe86d8 CreateStreamOnHGlobal 28751->28752 28753 7ff600fe8789 GlobalUnlock 28752->28753 28754 7ff600fe86f6 GdipAlloc 28752->28754 28753->28750 28755 7ff600fe870b 28754->28755 28755->28753 28756 7ff600fe8772 28755->28756 28757 7ff600fe875a GdipCreateHBITMAPFromBitmap 28755->28757 28756->28753 28757->28756 28758->28697 28759->28702 28763 7ff600fd98fe _snwprintf 28760->28763 28761 7ff600fd9973 28837 7ff600fd68b0 48 API calls 28761->28837 28763->28761 28765 7ff600fd9a89 28763->28765 28764 7ff600fc1fa0 31 API calls 28767 7ff600fd99fd 28764->28767 28765->28767 28770 7ff600fc20b0 33 API calls 28765->28770 28766 7ff600fd997d BuildCatchObjectHelperInternal 28766->28764 28768 7ff600fda42e 28766->28768 28772 7ff600fd24c0 54 API calls 28767->28772 28769 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 28768->28769 28771 7ff600fda434 28769->28771 28770->28767 28775 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 28771->28775 28773 7ff600fd9a1a 28772->28773 28774 7ff600fd9a22 28773->28774 28782 7ff600fd9aad 28773->28782 28776 7ff600fd204c 100 API calls 28774->28776 28778 7ff600fda43a 28775->28778 28779 7ff600fd9a2b 28776->28779 28777 7ff600fd9b17 28829 7ff600ffa450 28777->28829 28779->28771 28781 7ff600fd9a66 28779->28781 28785 7ff600ff2320 _handle_error 8 API calls 28781->28785 28782->28777 28786 7ff600fd8e58 33 API calls 28782->28786 28784 7ff600ffa450 31 API calls 28798 7ff600fd9b57 __vcrt_InitializeCriticalSectionEx 28784->28798 28787 7ff600fda40e 28785->28787 28786->28782 28787->28705 28788 7ff600fd9c89 28790 7ff600fd2aa0 101 API calls 28788->28790 28801 7ff600fd9d5c 28788->28801 28789 7ff600fd2bb0 101 API calls 28789->28798 28792 7ff600fd9ca1 28790->28792 28791 7ff600fd28d0 104 API calls 28791->28798 28793 7ff600fd28d0 104 API calls 28792->28793 28792->28801 28799 7ff600fd9cc9 28793->28799 28794 7ff600fd204c 100 API calls 28796 7ff600fda3f5 28794->28796 28795 7ff600fd2aa0 101 API calls 28795->28798 28797 7ff600fc1fa0 31 API calls 28796->28797 28797->28781 28798->28788 28798->28789 28798->28791 28798->28795 28798->28801 28799->28801 28821 7ff600fd9cd7 __vcrt_InitializeCriticalSectionEx 28799->28821 28838 7ff600fe0bbc MultiByteToWideChar 28799->28838 28801->28794 28802 7ff600fda1ec 28814 7ff600fda2c2 28802->28814 28844 7ff600ffcf90 31 API calls 2 library calls 28802->28844 28804 7ff600fda157 28804->28802 28841 7ff600ffcf90 31 API calls 2 library calls 28804->28841 28806 7ff600fda14b 28806->28705 28808 7ff600fda2ae 28808->28814 28846 7ff600fd8cd0 33 API calls 2 library calls 28808->28846 28809 7ff600fda249 28845 7ff600ffb7bc 31 API calls _invalid_parameter_noinfo_noreturn 28809->28845 28810 7ff600fda3a2 28811 7ff600ffa450 31 API calls 28810->28811 28813 7ff600fda3cb 28811->28813 28816 7ff600ffa450 31 API calls 28813->28816 28814->28810 28818 7ff600fd8e58 33 API calls 28814->28818 28815 7ff600fda16d 28842 7ff600ffb7bc 31 API calls _invalid_parameter_noinfo_noreturn 28815->28842 28816->28801 28818->28814 28819 7ff600fda1d8 28819->28802 28843 7ff600fd8cd0 33 API calls 2 library calls 28819->28843 28821->28801 28821->28802 28821->28804 28821->28806 28822 7ff600fda429 28821->28822 28824 7ff600fe0f68 WideCharToMultiByte 28821->28824 28839 7ff600fdaa88 45 API calls _snwprintf 28821->28839 28840 7ff600ffa270 31 API calls 2 library calls 28821->28840 28847 7ff600ff2624 8 API calls 28822->28847 28824->28821 28828 7ff600fda468 28827->28828 28828->28707 28830 7ff600ffa47d 28829->28830 28836 7ff600ffa492 28830->28836 28848 7ff600ffd69c 15 API calls abort 28830->28848 28832 7ff600ffa487 28849 7ff600ff78e4 31 API calls _invalid_parameter_noinfo_noreturn 28832->28849 28833 7ff600ff2320 _handle_error 8 API calls 28835 7ff600fd9b37 28833->28835 28835->28784 28836->28833 28837->28766 28838->28821 28839->28821 28840->28821 28841->28815 28842->28819 28843->28802 28844->28809 28845->28808 28846->28814 28847->28768 28848->28832 28849->28836 25902 7ff600feb190 26245 7ff600fc255c 25902->26245 25904 7ff600feb1db 25905 7ff600febe93 25904->25905 25906 7ff600feb1ef 25904->25906 26055 7ff600feb20c 25904->26055 26530 7ff600fef390 25905->26530 25909 7ff600feb1ff 25906->25909 25910 7ff600feb2db 25906->25910 25906->26055 25914 7ff600feb2a9 25909->25914 25915 7ff600feb207 25909->25915 25917 7ff600feb391 25910->25917 25922 7ff600feb2f5 25910->25922 25912 7ff600febeba SendMessageW 25913 7ff600febec9 25912->25913 25919 7ff600febed5 SendDlgItemMessageW 25913->25919 25920 7ff600febef0 GetDlgItem SendMessageW 25913->25920 25921 7ff600feb2cb EndDialog 25914->25921 25914->26055 25925 7ff600fdaae0 48 API calls 25915->25925 25915->26055 26253 7ff600fc22bc GetDlgItem 25917->26253 25919->25920 26549 7ff600fd62dc GetCurrentDirectoryW 25920->26549 25921->26055 25926 7ff600fdaae0 48 API calls 25922->25926 25928 7ff600feb236 25925->25928 25929 7ff600feb313 SetDlgItemTextW 25926->25929 25927 7ff600febf47 GetDlgItem 26559 7ff600fc2520 25927->26559 26563 7ff600fc1ec4 34 API calls _handle_error 25928->26563 25933 7ff600feb326 25929->25933 25932 7ff600feb408 GetDlgItem 25937 7ff600feb422 SendMessageW SendMessageW 25932->25937 25938 7ff600feb44f SetFocus 25932->25938 25944 7ff600feb340 GetMessageW 25933->25944 25933->26055 25936 7ff600feb246 25943 7ff600feb25c 25936->25943 26564 7ff600fc250c 25936->26564 25937->25938 25939 7ff600feb465 25938->25939 25940 7ff600feb4f2 25938->25940 25946 7ff600fdaae0 48 API calls 25939->25946 26267 7ff600fc8d04 25940->26267 25941 7ff600feb3da 25948 7ff600fc1fa0 31 API calls 25941->25948 25958 7ff600fec363 25943->25958 25943->26055 25945 7ff600feb35e IsDialogMessageW 25944->25945 25944->26055 25945->25933 25953 7ff600feb373 TranslateMessage DispatchMessageW 25945->25953 25954 7ff600feb46f 25946->25954 25947 7ff600febcc5 25955 7ff600fdaae0 48 API calls 25947->25955 25948->26055 25952 7ff600feb52c 26277 7ff600feef80 25952->26277 25953->25933 26567 7ff600fc129c 25954->26567 25959 7ff600febcd6 SetDlgItemTextW 25955->25959 26624 7ff600ff7904 25958->26624 25962 7ff600fdaae0 48 API calls 25959->25962 25969 7ff600febd08 25962->25969 25984 7ff600fc129c 33 API calls 25969->25984 25970 7ff600fec368 25979 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 25970->25979 25973 7ff600feb498 25977 7ff600fef0a4 24 API calls 25973->25977 25982 7ff600feb4a5 25977->25982 25985 7ff600fec36e 25979->25985 25982->25970 25999 7ff600feb4e8 25982->25999 26016 7ff600febd31 25984->26016 25996 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 25985->25996 25995 7ff600febdda 26000 7ff600fdaae0 48 API calls 25995->26000 26001 7ff600fec374 25996->26001 25998 7ff600feb5ec 26009 7ff600feb61a 25998->26009 26578 7ff600fd32a8 25998->26578 25999->25998 26577 7ff600fefa80 33 API calls 2 library calls 25999->26577 26011 7ff600febde4 26000->26011 26020 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26001->26020 26005 7ff600fc1fa0 31 API calls 26014 7ff600feb586 26005->26014 26315 7ff600fd2f58 26009->26315 26033 7ff600fc129c 33 API calls 26011->26033 26014->25985 26014->25999 26016->25995 26022 7ff600fc129c 33 API calls 26016->26022 26027 7ff600fec37a 26020->26027 26028 7ff600febd7f 26022->26028 26038 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26027->26038 26034 7ff600fdaae0 48 API calls 26028->26034 26031 7ff600feb634 GetLastError 26032 7ff600feb64c 26031->26032 26327 7ff600fd7fc4 26032->26327 26037 7ff600febe0d 26033->26037 26040 7ff600febd8a 26034->26040 26036 7ff600feb60e 26581 7ff600fe9d90 12 API calls _handle_error 26036->26581 26053 7ff600fc129c 33 API calls 26037->26053 26044 7ff600fec380 26038->26044 26045 7ff600fc1150 33 API calls 26040->26045 26054 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26044->26054 26049 7ff600febda2 26045->26049 26047 7ff600feb65e 26051 7ff600feb674 26047->26051 26052 7ff600feb665 GetLastError 26047->26052 26611 7ff600fc2034 26049->26611 26056 7ff600feb71c 26051->26056 26060 7ff600feb72b 26051->26060 26062 7ff600feb68b GetTickCount 26051->26062 26052->26051 26057 7ff600febe4e 26053->26057 26058 7ff600fec386 26054->26058 26615 7ff600ff2320 26055->26615 26056->26060 26080 7ff600febb79 26056->26080 26074 7ff600fc1fa0 31 API calls 26057->26074 26063 7ff600fc255c 61 API calls 26058->26063 26064 7ff600feba50 26060->26064 26582 7ff600fd6454 26060->26582 26330 7ff600fc4228 26062->26330 26067 7ff600fec3e4 26063->26067 26072 7ff600feb3b1 EndDialog 26064->26072 26606 7ff600fcbd0c 33 API calls 26064->26606 26065 7ff600febdbe 26070 7ff600fc1fa0 31 API calls 26065->26070 26075 7ff600fec3e8 26067->26075 26083 7ff600fec489 GetDlgItem SetFocus 26067->26083 26105 7ff600fec3fd 26067->26105 26078 7ff600febdcc 26070->26078 26072->25941 26082 7ff600febe78 26074->26082 26084 7ff600ff2320 _handle_error 8 API calls 26075->26084 26077 7ff600feb74e 26594 7ff600fdb914 102 API calls 26077->26594 26087 7ff600fc1fa0 31 API calls 26078->26087 26095 7ff600fdaae0 48 API calls 26080->26095 26081 7ff600feba75 26607 7ff600fc1150 26081->26607 26091 7ff600fc1fa0 31 API calls 26082->26091 26088 7ff600fec4ba 26083->26088 26092 7ff600feca97 26084->26092 26087->25995 26100 7ff600fc129c 33 API calls 26088->26100 26089 7ff600feb6ba 26340 7ff600fc1fa0 26089->26340 26097 7ff600febe83 26091->26097 26093 7ff600feb768 26099 7ff600fdda98 48 API calls 26093->26099 26102 7ff600febba7 SetDlgItemTextW 26095->26102 26096 7ff600feba8a 26103 7ff600fdaae0 48 API calls 26096->26103 26104 7ff600fc1fa0 31 API calls 26097->26104 26098 7ff600fec434 SendDlgItemMessageW 26106 7ff600fec454 26098->26106 26107 7ff600fec45d EndDialog 26098->26107 26108 7ff600feb7aa GetCommandLineW 26099->26108 26109 7ff600fec4cc 26100->26109 26101 7ff600feb6c8 26345 7ff600fd2134 26101->26345 26110 7ff600fc2534 26102->26110 26111 7ff600feba97 26103->26111 26104->25941 26105->26075 26105->26098 26106->26107 26107->26075 26113 7ff600feb84f 26108->26113 26114 7ff600feb869 26108->26114 26629 7ff600fd80d8 33 API calls 26109->26629 26116 7ff600febbc5 SetDlgItemTextW GetDlgItem 26110->26116 26112 7ff600fc1150 33 API calls 26111->26112 26119 7ff600febaaa 26112->26119 26595 7ff600fc20b0 26113->26595 26599 7ff600feab54 33 API calls _handle_error 26114->26599 26117 7ff600febc13 26116->26117 26118 7ff600febbf0 GetWindowLongPtrW SetWindowLongPtrW 26116->26118 26365 7ff600fece88 26117->26365 26118->26117 26124 7ff600fc1fa0 31 API calls 26119->26124 26120 7ff600fec4e0 26125 7ff600fc250c SetDlgItemTextW 26120->26125 26129 7ff600febab5 26124->26129 26131 7ff600fec4f4 26125->26131 26126 7ff600feb87a 26600 7ff600feab54 33 API calls _handle_error 26126->26600 26137 7ff600fc1fa0 31 API calls 26129->26137 26142 7ff600fec526 SendDlgItemMessageW FindFirstFileW 26131->26142 26133 7ff600feb704 26361 7ff600fd204c 26133->26361 26134 7ff600feb6f5 GetLastError 26134->26133 26136 7ff600fece88 160 API calls 26140 7ff600febc3c 26136->26140 26141 7ff600febac3 26137->26141 26138 7ff600feb88b 26601 7ff600feab54 33 API calls _handle_error 26138->26601 26515 7ff600fef974 26140->26515 26151 7ff600fdaae0 48 API calls 26141->26151 26146 7ff600fec57b 26142->26146 26239 7ff600feca04 26142->26239 26155 7ff600fdaae0 48 API calls 26146->26155 26147 7ff600feb89c 26602 7ff600fdb9b4 102 API calls 26147->26602 26150 7ff600fece88 160 API calls 26165 7ff600febc6a 26150->26165 26154 7ff600febadb 26151->26154 26152 7ff600feb8b3 26603 7ff600fefbdc 33 API calls 26152->26603 26153 7ff600feca81 26153->26075 26166 7ff600fc129c 33 API calls 26154->26166 26168 7ff600fec59e 26155->26168 26157 7ff600fecaa9 26158 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26157->26158 26161 7ff600fecaae 26158->26161 26159 7ff600febc96 26529 7ff600fc2298 GetDlgItem EnableWindow 26159->26529 26160 7ff600feb8d2 CreateFileMappingW 26163 7ff600feb953 ShellExecuteExW 26160->26163 26164 7ff600feb911 MapViewOfFile 26160->26164 26170 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26161->26170 26188 7ff600feb974 26163->26188 26604 7ff600ff3640 26164->26604 26165->26159 26171 7ff600fece88 160 API calls 26165->26171 26180 7ff600febb04 26166->26180 26167 7ff600feb3f5 26167->25947 26167->26072 26172 7ff600fc129c 33 API calls 26168->26172 26174 7ff600fecab4 26170->26174 26171->26159 26173 7ff600fec5cd 26172->26173 26175 7ff600fc1150 33 API calls 26173->26175 26178 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26174->26178 26176 7ff600fec5e8 26175->26176 26630 7ff600fce164 33 API calls 2 library calls 26176->26630 26177 7ff600feb9c3 26185 7ff600feb9ef 26177->26185 26186 7ff600feb9dc UnmapViewOfFile CloseHandle 26177->26186 26182 7ff600fecaba 26178->26182 26179 7ff600febb5a 26183 7ff600fc1fa0 31 API calls 26179->26183 26180->26027 26180->26179 26190 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26182->26190 26183->26072 26184 7ff600fec5ff 26187 7ff600fc1fa0 31 API calls 26184->26187 26185->26001 26189 7ff600feba25 26185->26189 26186->26185 26191 7ff600fec60c 26187->26191 26188->26177 26192 7ff600feb9b1 Sleep 26188->26192 26194 7ff600fc1fa0 31 API calls 26189->26194 26193 7ff600fecac0 26190->26193 26191->26161 26196 7ff600fc1fa0 31 API calls 26191->26196 26192->26177 26192->26188 26197 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26193->26197 26195 7ff600feba42 26194->26195 26198 7ff600fc1fa0 31 API calls 26195->26198 26199 7ff600fec673 26196->26199 26200 7ff600fecac6 26197->26200 26198->26064 26201 7ff600fc250c SetDlgItemTextW 26199->26201 26203 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26200->26203 26202 7ff600fec687 FindClose 26201->26202 26204 7ff600fec6a3 26202->26204 26205 7ff600fec797 SendDlgItemMessageW 26202->26205 26206 7ff600fecacc 26203->26206 26631 7ff600fea2cc 10 API calls _handle_error 26204->26631 26207 7ff600fec7cb 26205->26207 26210 7ff600fdaae0 48 API calls 26207->26210 26209 7ff600fec6c6 26211 7ff600fdaae0 48 API calls 26209->26211 26212 7ff600fec7d8 26210->26212 26213 7ff600fec6cf 26211->26213 26215 7ff600fc129c 33 API calls 26212->26215 26214 7ff600fdda98 48 API calls 26213->26214 26220 7ff600fec6ec BuildCatchObjectHelperInternal 26214->26220 26217 7ff600fec807 26215->26217 26216 7ff600fc1fa0 31 API calls 26218 7ff600fec783 26216->26218 26219 7ff600fc1150 33 API calls 26217->26219 26221 7ff600fc250c SetDlgItemTextW 26218->26221 26222 7ff600fec822 26219->26222 26220->26174 26220->26216 26221->26205 26632 7ff600fce164 33 API calls 2 library calls 26222->26632 26224 7ff600fec839 26225 7ff600fc1fa0 31 API calls 26224->26225 26226 7ff600fec845 BuildCatchObjectHelperInternal 26225->26226 26227 7ff600fc1fa0 31 API calls 26226->26227 26228 7ff600fec87f 26227->26228 26229 7ff600fc1fa0 31 API calls 26228->26229 26230 7ff600fec88c 26229->26230 26230->26182 26231 7ff600fc1fa0 31 API calls 26230->26231 26232 7ff600fec8f3 26231->26232 26233 7ff600fc250c SetDlgItemTextW 26232->26233 26234 7ff600fec907 26233->26234 26234->26239 26633 7ff600fea2cc 10 API calls _handle_error 26234->26633 26236 7ff600fec932 26237 7ff600fdaae0 48 API calls 26236->26237 26238 7ff600fec93c 26237->26238 26240 7ff600fdda98 48 API calls 26238->26240 26239->26075 26239->26153 26239->26157 26239->26200 26242 7ff600fec959 BuildCatchObjectHelperInternal 26240->26242 26241 7ff600fc1fa0 31 API calls 26243 7ff600fec9f0 26241->26243 26242->26193 26242->26241 26244 7ff600fc250c SetDlgItemTextW 26243->26244 26244->26239 26246 7ff600fc25d0 26245->26246 26247 7ff600fc256a 26245->26247 26246->25904 26247->26246 26634 7ff600fda4ac 26247->26634 26249 7ff600fc258f 26249->26246 26250 7ff600fc25a4 GetDlgItem 26249->26250 26250->26246 26251 7ff600fc25b7 26250->26251 26251->26246 26252 7ff600fc25be SetWindowTextW 26251->26252 26252->26246 26254 7ff600fc2334 26253->26254 26255 7ff600fc22fc 26253->26255 26733 7ff600fc23f8 GetWindowTextLengthW 26254->26733 26257 7ff600fc129c 33 API calls 26255->26257 26258 7ff600fc232a BuildCatchObjectHelperInternal 26257->26258 26259 7ff600fc1fa0 31 API calls 26258->26259 26262 7ff600fc2389 26258->26262 26259->26262 26260 7ff600fc23c8 26261 7ff600ff2320 _handle_error 8 API calls 26260->26261 26263 7ff600fc23dd 26261->26263 26262->26260 26264 7ff600fc23f0 26262->26264 26263->25932 26263->26072 26263->26167 26265 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26264->26265 26266 7ff600fc23f5 26265->26266 26268 7ff600fc8d34 26267->26268 26269 7ff600fc8de8 26267->26269 26272 7ff600fc8de3 26268->26272 26273 7ff600fc8d42 BuildCatchObjectHelperInternal 26268->26273 26275 7ff600fc8d91 26268->26275 26788 7ff600fc2004 33 API calls std::_Xinvalid_argument 26269->26788 26274 7ff600fc1f80 Concurrency::cancel_current_task 33 API calls 26272->26274 26273->25952 26274->26269 26275->26273 26276 7ff600ff21d0 33 API calls 26275->26276 26276->26273 26281 7ff600feefb0 26277->26281 26278 7ff600feefd7 26279 7ff600ff2320 _handle_error 8 API calls 26278->26279 26280 7ff600feb537 26279->26280 26291 7ff600fdaae0 26280->26291 26281->26278 26789 7ff600fcbd0c 33 API calls 26281->26789 26283 7ff600fef02a 26284 7ff600fc1150 33 API calls 26283->26284 26285 7ff600fef03f 26284->26285 26286 7ff600fef04f BuildCatchObjectHelperInternal 26285->26286 26288 7ff600fc1fa0 31 API calls 26285->26288 26287 7ff600fc1fa0 31 API calls 26286->26287 26289 7ff600fef076 26287->26289 26288->26286 26290 7ff600fc1fa0 31 API calls 26289->26290 26290->26278 26292 7ff600fdaaf3 26291->26292 26790 7ff600fd9774 26292->26790 26295 7ff600fdab86 26298 7ff600fdda98 26295->26298 26296 7ff600fdab58 LoadStringW 26296->26295 26297 7ff600fdab71 LoadStringW 26296->26297 26297->26295 26809 7ff600fdd874 26298->26809 26301 7ff600fef0a4 26842 7ff600feae1c PeekMessageW 26301->26842 26304 7ff600fef143 SendMessageW SendMessageW 26305 7ff600fef1a4 SendMessageW 26304->26305 26306 7ff600fef189 26304->26306 26308 7ff600fef1c3 26305->26308 26309 7ff600fef1c6 SendMessageW SendMessageW 26305->26309 26306->26305 26307 7ff600fef0f5 26310 7ff600fef101 ShowWindow SendMessageW SendMessageW 26307->26310 26308->26309 26311 7ff600fef1f3 SendMessageW 26309->26311 26312 7ff600fef218 SendMessageW 26309->26312 26310->26304 26311->26312 26313 7ff600ff2320 _handle_error 8 API calls 26312->26313 26314 7ff600feb578 26313->26314 26314->26005 26316 7ff600fd309d 26315->26316 26323 7ff600fd2f8e 26315->26323 26317 7ff600ff2320 _handle_error 8 API calls 26316->26317 26318 7ff600fd30b3 26317->26318 26318->26031 26318->26032 26319 7ff600fd3077 26319->26316 26320 7ff600fd3684 56 API calls 26319->26320 26320->26316 26321 7ff600fc129c 33 API calls 26321->26323 26323->26319 26323->26321 26324 7ff600fd30c8 26323->26324 26847 7ff600fd3684 26323->26847 26325 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26324->26325 26326 7ff600fd30cd 26325->26326 26328 7ff600fd7fd2 SetCurrentDirectoryW 26327->26328 26329 7ff600fd7fcf 26327->26329 26328->26047 26329->26328 26331 7ff600fc4255 26330->26331 26332 7ff600fc426a 26331->26332 26333 7ff600fc129c 33 API calls 26331->26333 26334 7ff600ff2320 _handle_error 8 API calls 26332->26334 26333->26332 26335 7ff600fc42a1 26334->26335 26336 7ff600fc3c84 26335->26336 26337 7ff600fc3cab 26336->26337 26994 7ff600fc710c 26337->26994 26339 7ff600fc3cbb BuildCatchObjectHelperInternal 26339->26089 26341 7ff600fc1fb3 26340->26341 26342 7ff600fc1fdc 26340->26342 26341->26342 26343 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26341->26343 26342->26101 26344 7ff600fc2000 26343->26344 26347 7ff600fd216a 26345->26347 26346 7ff600fd219e 26349 7ff600fd227f 26346->26349 26351 7ff600fd6a0c 49 API calls 26346->26351 26347->26346 26348 7ff600fd21b1 CreateFileW 26347->26348 26348->26346 26350 7ff600fd22af 26349->26350 26354 7ff600fc20b0 33 API calls 26349->26354 26352 7ff600ff2320 _handle_error 8 API calls 26350->26352 26353 7ff600fd2209 26351->26353 26355 7ff600fd22c4 26352->26355 26356 7ff600fd220d CreateFileW 26353->26356 26357 7ff600fd2246 26353->26357 26354->26350 26355->26133 26355->26134 26356->26357 26357->26349 26358 7ff600fd22d8 26357->26358 26359 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26358->26359 26360 7ff600fd22dd 26359->26360 26362 7ff600fd2066 26361->26362 26363 7ff600fd2072 26361->26363 26362->26363 27006 7ff600fd20d0 26362->27006 27013 7ff600feaa08 26365->27013 26367 7ff600fed1ee 26368 7ff600fc1fa0 31 API calls 26367->26368 26369 7ff600fed1f7 26368->26369 26370 7ff600ff2320 _handle_error 8 API calls 26369->26370 26371 7ff600febc2b 26370->26371 26371->26136 26372 7ff600feeefa 27144 7ff600fc704c 47 API calls BuildCatchObjectHelperInternal 26372->27144 26374 7ff600fc8d04 33 API calls 26507 7ff600fecf03 BuildCatchObjectHelperInternal 26374->26507 26376 7ff600feef00 27145 7ff600fc704c 47 API calls BuildCatchObjectHelperInternal 26376->27145 26378 7ff600fdd22c 33 API calls 26378->26507 26379 7ff600feef06 26383 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26379->26383 26381 7ff600feeeee 26382 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26381->26382 26384 7ff600feeef4 26382->26384 26386 7ff600feef0c 26383->26386 27143 7ff600fc704c 47 API calls BuildCatchObjectHelperInternal 26384->27143 26388 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26386->26388 26390 7ff600feef12 26388->26390 26389 7ff600feee4a 26391 7ff600feeed2 26389->26391 26392 7ff600fc20b0 33 API calls 26389->26392 26395 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26390->26395 26401 7ff600fc1f80 Concurrency::cancel_current_task 33 API calls 26391->26401 26397 7ff600feee77 26392->26397 26393 7ff600feeee8 27142 7ff600fc2004 33 API calls std::_Xinvalid_argument 26393->27142 26394 7ff600fc13a4 33 API calls 26398 7ff600fedc3a GetTempPathW 26394->26398 26400 7ff600feef18 26395->26400 27141 7ff600feabe8 33 API calls 3 library calls 26397->27141 26398->26507 26399 7ff600fd62dc 35 API calls 26399->26507 26404 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26400->26404 26401->26393 26408 7ff600feef1e 26404->26408 26406 7ff600feee8d 26413 7ff600fc1fa0 31 API calls 26406->26413 26417 7ff600feeea4 BuildCatchObjectHelperInternal 26406->26417 26407 7ff600fc2520 SetWindowTextW 26407->26507 26415 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26408->26415 26410 7ff600ffbb8c 43 API calls 26410->26507 26411 7ff600fc1fa0 31 API calls 26411->26391 26412 7ff600fee7f3 26412->26391 26412->26393 26416 7ff600ff21d0 33 API calls 26412->26416 26424 7ff600fee83b BuildCatchObjectHelperInternal 26412->26424 26413->26417 26414 7ff600fd5aa8 33 API calls 26414->26507 26419 7ff600feef24 26415->26419 26416->26424 26417->26411 26423 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26419->26423 26420 7ff600feaa08 33 API calls 26420->26507 26421 7ff600feef6c 27147 7ff600fc2004 33 API calls std::_Xinvalid_argument 26421->27147 26422 7ff600fc4228 33 API calls 26422->26507 26428 7ff600feef2a 26423->26428 26432 7ff600fc20b0 33 API calls 26424->26432 26476 7ff600feeb8f 26424->26476 26426 7ff600fc1fa0 31 API calls 26426->26389 26427 7ff600feef78 27148 7ff600fc2004 33 API calls std::_Xinvalid_argument 26427->27148 26438 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26428->26438 26429 7ff600feef72 26440 7ff600fc1f80 Concurrency::cancel_current_task 33 API calls 26429->26440 26431 7ff600feef66 26436 7ff600fc1f80 Concurrency::cancel_current_task 33 API calls 26431->26436 26439 7ff600fee963 26432->26439 26435 7ff600feed40 26435->26427 26435->26429 26453 7ff600feed3b BuildCatchObjectHelperInternal 26435->26453 26458 7ff600ff21d0 33 API calls 26435->26458 26436->26421 26437 7ff600feec2a 26437->26421 26437->26431 26446 7ff600feec72 BuildCatchObjectHelperInternal 26437->26446 26437->26453 26455 7ff600ff21d0 33 API calls 26437->26455 26444 7ff600feef30 26438->26444 26445 7ff600feef60 26439->26445 26454 7ff600fc129c 33 API calls 26439->26454 26440->26427 26442 7ff600fce164 33 API calls 26442->26507 26443 7ff600fd3d34 51 API calls 26443->26507 26459 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26444->26459 27146 7ff600fc704c 47 API calls BuildCatchObjectHelperInternal 26445->27146 27056 7ff600fef4e0 26446->27056 26448 7ff600fed5e9 GetDlgItem 26456 7ff600fc2520 SetWindowTextW 26448->26456 26449 7ff600fddc2c 33 API calls 26449->26507 26451 7ff600fe99c8 31 API calls 26451->26507 26453->26426 26460 7ff600fee9a6 26454->26460 26455->26446 26461 7ff600fed608 SendMessageW 26456->26461 26458->26453 26463 7ff600feef36 26459->26463 27137 7ff600fdd22c 26460->27137 26461->26507 26466 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26463->26466 26465 7ff600fd5b60 53 API calls 26465->26507 26470 7ff600feef3c 26466->26470 26467 7ff600fed63c SendMessageW 26467->26507 26469 7ff600fd3f30 54 API calls 26469->26507 26474 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26470->26474 26473 7ff600fee9d1 26473->26476 26486 7ff600feef48 26473->26486 26489 7ff600feef4e 26473->26489 26496 7ff600fc1fa0 31 API calls 26473->26496 26497 7ff600fc129c 33 API calls 26473->26497 26500 7ff600fe13c4 CompareStringW 26473->26500 26506 7ff600fdd22c 33 API calls 26473->26506 26477 7ff600feef42 26474->26477 26476->26435 26476->26437 26478 7ff600feef5a 26476->26478 26495 7ff600feef54 26476->26495 26482 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26477->26482 26480 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26478->26480 26479 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26479->26478 26480->26445 26481 7ff600fc1744 33 API calls 26481->26507 26482->26486 26483 7ff600fc2034 33 API calls 26483->26507 26484 7ff600fd5820 33 API calls 26484->26507 26485 7ff600fd32a8 51 API calls 26485->26507 26487 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26486->26487 26487->26489 26488 7ff600fc250c SetDlgItemTextW 26488->26507 26493 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26489->26493 26492 7ff600fc1150 33 API calls 26492->26507 26493->26495 26495->26479 26496->26473 26497->26473 26498 7ff600fc2674 31 API calls 26498->26507 26500->26473 26501 7ff600fc129c 33 API calls 26501->26507 26502 7ff600fc1fa0 31 API calls 26502->26507 26503 7ff600fedf99 EndDialog 26503->26507 26505 7ff600fd32bc 51 API calls 26505->26507 26506->26473 26507->26367 26507->26372 26507->26374 26507->26376 26507->26378 26507->26379 26507->26381 26507->26384 26507->26386 26507->26389 26507->26390 26507->26394 26507->26399 26507->26400 26507->26407 26507->26408 26507->26410 26507->26412 26507->26414 26507->26419 26507->26420 26507->26422 26507->26428 26507->26442 26507->26443 26507->26444 26507->26449 26507->26451 26507->26463 26507->26465 26507->26467 26507->26469 26507->26470 26507->26477 26507->26481 26507->26483 26507->26484 26507->26485 26507->26488 26507->26492 26507->26498 26507->26501 26507->26502 26507->26503 26507->26505 26508 7ff600fedb21 MoveFileW 26507->26508 26512 7ff600fd2f58 56 API calls 26507->26512 26513 7ff600fc20b0 33 API calls 26507->26513 27017 7ff600fe13c4 CompareStringW 26507->27017 27018 7ff600fea440 26507->27018 27094 7ff600fdcfa4 35 API calls _invalid_parameter_noinfo_noreturn 26507->27094 27095 7ff600fe95b4 33 API calls Concurrency::cancel_current_task 26507->27095 27096 7ff600ff0684 31 API calls _invalid_parameter_noinfo_noreturn 26507->27096 27097 7ff600fcdf4c 47 API calls BuildCatchObjectHelperInternal 26507->27097 27098 7ff600fea834 33 API calls _invalid_parameter_noinfo_noreturn 26507->27098 27099 7ff600fe9518 33 API calls 26507->27099 27100 7ff600feabe8 33 API calls 3 library calls 26507->27100 27101 7ff600fd7368 33 API calls 2 library calls 26507->27101 27102 7ff600fd4088 33 API calls 26507->27102 27103 7ff600fd65b0 33 API calls 3 library calls 26507->27103 27104 7ff600fd72cc 26507->27104 27108 7ff600fd31bc 26507->27108 27122 7ff600fd3ea0 FindClose 26507->27122 27123 7ff600fe13f4 CompareStringW 26507->27123 27124 7ff600fe9cd0 47 API calls 26507->27124 27125 7ff600fe87d8 51 API calls 3 library calls 26507->27125 27126 7ff600feab54 33 API calls _handle_error 26507->27126 27127 7ff600fd7df4 26507->27127 27135 7ff600fd5b08 CompareStringW 26507->27135 27136 7ff600fd7eb0 47 API calls 26507->27136 26509 7ff600fedb55 MoveFileExW 26508->26509 26510 7ff600fedb70 26508->26510 26509->26510 26510->26507 26511 7ff600fc1fa0 31 API calls 26510->26511 26511->26510 26512->26507 26513->26507 26516 7ff600fef9a3 26515->26516 26517 7ff600fc20b0 33 API calls 26516->26517 26519 7ff600fef9b9 26517->26519 26518 7ff600fef9ee 27161 7ff600fce34c 26518->27161 26519->26518 26520 7ff600fc20b0 33 API calls 26519->26520 26520->26518 26522 7ff600fefa4b 27181 7ff600fce7a8 26522->27181 26526 7ff600fefa61 26527 7ff600ff2320 _handle_error 8 API calls 26526->26527 26528 7ff600febc52 26527->26528 26528->26150 28267 7ff600fe849c 26530->28267 26533 7ff600fef4b7 26535 7ff600ff2320 _handle_error 8 API calls 26533->26535 26534 7ff600fef3c7 GetWindow 26539 7ff600fef3e2 26534->26539 26536 7ff600febe9b 26535->26536 26536->25912 26536->25913 26537 7ff600fef3ee GetClassNameW 28272 7ff600fe13c4 CompareStringW 26537->28272 26539->26533 26539->26537 26540 7ff600fef496 GetWindow 26539->26540 26541 7ff600fef417 GetWindowLongPtrW 26539->26541 26540->26533 26540->26539 26541->26540 26542 7ff600fef429 SendMessageW 26541->26542 26542->26540 26543 7ff600fef445 GetObjectW 26542->26543 28273 7ff600fe8504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26543->28273 26545 7ff600fef461 28274 7ff600fe84cc 26545->28274 28278 7ff600fe8df4 16 API calls _handle_error 26545->28278 26548 7ff600fef479 SendMessageW DeleteObject 26548->26540 26550 7ff600fd6300 26549->26550 26556 7ff600fd638d 26549->26556 26551 7ff600fc13a4 33 API calls 26550->26551 26552 7ff600fd631b GetCurrentDirectoryW 26551->26552 26553 7ff600fd6341 26552->26553 26554 7ff600fc20b0 33 API calls 26553->26554 26555 7ff600fd634f 26554->26555 26555->26556 26557 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26555->26557 26556->25927 26558 7ff600fd63a9 26557->26558 26560 7ff600fc2527 26559->26560 26561 7ff600fc252a SetWindowTextW 26559->26561 26560->26561 26562 7ff60102e2e0 26561->26562 26563->25936 26565 7ff600fc2513 26564->26565 26566 7ff600fc2516 SetDlgItemTextW 26564->26566 26565->26566 26568 7ff600fc12d0 26567->26568 26575 7ff600fc139b 26567->26575 26571 7ff600fc12de BuildCatchObjectHelperInternal 26568->26571 26572 7ff600fc1338 26568->26572 26573 7ff600fc1396 26568->26573 26571->25973 26572->26571 26576 7ff600ff21d0 33 API calls 26572->26576 26574 7ff600fc1f80 Concurrency::cancel_current_task 33 API calls 26573->26574 26574->26575 28281 7ff600fc2004 33 API calls std::_Xinvalid_argument 26575->28281 26576->26571 26577->25998 26579 7ff600fd32bc 51 API calls 26578->26579 26580 7ff600fd32b1 26579->26580 26580->26009 26580->26036 26581->26009 26583 7ff600fc13a4 33 API calls 26582->26583 26584 7ff600fd6489 26583->26584 26585 7ff600fd648c GetModuleFileNameW 26584->26585 26588 7ff600fd64dc 26584->26588 26586 7ff600fd64de 26585->26586 26587 7ff600fd64a7 26585->26587 26586->26588 26587->26584 26589 7ff600fc129c 33 API calls 26588->26589 26591 7ff600fd6506 26589->26591 26590 7ff600fd653e 26590->26077 26591->26590 26592 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26591->26592 26593 7ff600fd6560 26592->26593 26594->26093 26596 7ff600fc20f6 26595->26596 26598 7ff600fc20cb BuildCatchObjectHelperInternal 26595->26598 28282 7ff600fc1474 33 API calls 3 library calls 26596->28282 26598->26114 26599->26126 26600->26138 26601->26147 26602->26152 26603->26160 26605 7ff600ff3620 26604->26605 26605->26163 26606->26081 26608 7ff600fc1177 26607->26608 26609 7ff600fc2034 33 API calls 26608->26609 26610 7ff600fc1185 BuildCatchObjectHelperInternal 26609->26610 26610->26096 26612 7ff600fc2085 26611->26612 26613 7ff600fc2059 BuildCatchObjectHelperInternal 26611->26613 28283 7ff600fc15b8 33 API calls 3 library calls 26612->28283 26613->26065 26616 7ff600ff2329 26615->26616 26617 7ff600fec350 26616->26617 26618 7ff600ff2550 IsProcessorFeaturePresent 26616->26618 26619 7ff600ff2568 26618->26619 28284 7ff600ff2744 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 26619->28284 26621 7ff600ff257b 28285 7ff600ff2510 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 26621->28285 28286 7ff600ff783c 31 API calls 2 library calls 26624->28286 26626 7ff600ff791d 28287 7ff600ff7934 16 API calls abort 26626->28287 26629->26120 26630->26184 26631->26209 26632->26224 26633->26236 26659 7ff600fd3e28 26634->26659 26638 7ff600fda589 26665 7ff600fd9408 26638->26665 26641 7ff600fda603 26644 7ff600fda6c2 26641->26644 26645 7ff600fda60c GetWindowLongPtrW 26641->26645 26642 7ff600fda6f2 GetSystemMetrics GetWindow 26643 7ff600fda821 26642->26643 26657 7ff600fda71d 26642->26657 26646 7ff600ff2320 _handle_error 8 API calls 26643->26646 26684 7ff600fd95a8 26644->26684 26647 7ff60102e2c0 26645->26647 26650 7ff600fda830 26646->26650 26651 7ff600fda6aa GetWindowRect 26647->26651 26650->26249 26651->26644 26653 7ff600fda519 26653->26638 26656 7ff600fda56a SetDlgItemTextW 26653->26656 26680 7ff600fd9800 26653->26680 26654 7ff600fda73e GetWindowRect 26654->26657 26655 7ff600fda6e5 SetWindowTextW 26655->26642 26656->26653 26657->26643 26657->26654 26658 7ff600fda800 GetWindow 26657->26658 26658->26643 26658->26657 26660 7ff600fd3e4d _snwprintf 26659->26660 26693 7ff600ff9ef0 26660->26693 26663 7ff600fe0f68 WideCharToMultiByte 26664 7ff600fe0faa 26663->26664 26664->26653 26666 7ff600fd95a8 47 API calls 26665->26666 26669 7ff600fd944f 26666->26669 26667 7ff600ff2320 _handle_error 8 API calls 26668 7ff600fd958e GetWindowRect GetClientRect 26667->26668 26668->26641 26668->26642 26670 7ff600fc129c 33 API calls 26669->26670 26678 7ff600fd955a 26669->26678 26671 7ff600fd949c 26670->26671 26672 7ff600fd95a1 26671->26672 26673 7ff600fc129c 33 API calls 26671->26673 26674 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26672->26674 26676 7ff600fd9514 26673->26676 26675 7ff600fd95a7 26674->26675 26677 7ff600fd959c 26676->26677 26676->26678 26679 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26677->26679 26678->26667 26679->26672 26681 7ff600fd9840 26680->26681 26683 7ff600fd9869 26680->26683 26732 7ff600ffa270 31 API calls 2 library calls 26681->26732 26683->26653 26685 7ff600fd3e28 swprintf 46 API calls 26684->26685 26686 7ff600fd95eb 26685->26686 26687 7ff600fe0f68 WideCharToMultiByte 26686->26687 26688 7ff600fd9603 26687->26688 26689 7ff600fd9800 31 API calls 26688->26689 26690 7ff600fd961b 26689->26690 26691 7ff600ff2320 _handle_error 8 API calls 26690->26691 26692 7ff600fd962b 26691->26692 26692->26642 26692->26655 26694 7ff600ff9f4e 26693->26694 26695 7ff600ff9f36 26693->26695 26694->26695 26696 7ff600ff9f58 26694->26696 26720 7ff600ffd69c 15 API calls abort 26695->26720 26722 7ff600ff7ef0 35 API calls 2 library calls 26696->26722 26699 7ff600ff9f3b 26721 7ff600ff78e4 31 API calls _invalid_parameter_noinfo_noreturn 26699->26721 26701 7ff600ff2320 _handle_error 8 API calls 26703 7ff600fd3e69 26701->26703 26702 7ff600ff9f69 __scrt_get_show_window_mode 26723 7ff600ff7e70 15 API calls _set_errno_from_matherr 26702->26723 26703->26663 26705 7ff600ff9fd4 26724 7ff600ff82f8 46 API calls 3 library calls 26705->26724 26707 7ff600ff9fdd 26708 7ff600ff9fe5 26707->26708 26709 7ff600ffa014 26707->26709 26725 7ff600ffd90c 26708->26725 26711 7ff600ffa01a 26709->26711 26712 7ff600ffa06c 26709->26712 26713 7ff600ffa023 26709->26713 26714 7ff600ffa092 26709->26714 26711->26712 26711->26713 26717 7ff600ffd90c __free_lconv_num 15 API calls 26712->26717 26716 7ff600ffd90c __free_lconv_num 15 API calls 26713->26716 26714->26712 26715 7ff600ffa09c 26714->26715 26718 7ff600ffd90c __free_lconv_num 15 API calls 26715->26718 26719 7ff600ff9f46 26716->26719 26717->26719 26718->26719 26719->26701 26720->26699 26721->26719 26722->26702 26723->26705 26724->26707 26726 7ff600ffd911 RtlFreeHeap 26725->26726 26727 7ff600ffd941 __free_lconv_num 26725->26727 26726->26727 26728 7ff600ffd92c 26726->26728 26727->26719 26731 7ff600ffd69c 15 API calls abort 26728->26731 26730 7ff600ffd931 GetLastError 26730->26727 26731->26730 26732->26683 26745 7ff600fc13a4 26733->26745 26736 7ff600fc2494 26737 7ff600fc129c 33 API calls 26736->26737 26738 7ff600fc24a2 26737->26738 26739 7ff600fc24dd 26738->26739 26741 7ff600fc2505 26738->26741 26740 7ff600ff2320 _handle_error 8 API calls 26739->26740 26742 7ff600fc24f3 26740->26742 26743 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26741->26743 26742->26258 26744 7ff600fc250a 26743->26744 26746 7ff600fc13ad 26745->26746 26747 7ff600fc142d GetWindowTextW 26745->26747 26748 7ff600fc13ce 26746->26748 26749 7ff600fc143d 26746->26749 26747->26736 26753 7ff600fc13db __scrt_get_show_window_mode 26748->26753 26755 7ff600ff21d0 26748->26755 26765 7ff600fc2018 33 API calls std::_Xinvalid_argument 26749->26765 26764 7ff600fc197c 31 API calls _invalid_parameter_noinfo_noreturn 26753->26764 26758 7ff600ff21db 26755->26758 26756 7ff600ff21f4 26756->26753 26758->26756 26759 7ff600ff21fa 26758->26759 26766 7ff600ffbbc0 26758->26766 26760 7ff600ff2205 26759->26760 26769 7ff600ff2f7c RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc std::_Xinvalid_argument 26759->26769 26770 7ff600fc1f80 26760->26770 26763 7ff600ff220b 26764->26747 26777 7ff600ffbc00 26766->26777 26769->26760 26771 7ff600fc1f8e std::bad_alloc::bad_alloc 26770->26771 26783 7ff600ff4078 26771->26783 26773 7ff600fc1f9f 26774 7ff600fc1fdc 26773->26774 26775 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26773->26775 26774->26763 26776 7ff600fc2000 26775->26776 26782 7ff600fff398 EnterCriticalSection 26777->26782 26784 7ff600ff40b4 RtlPcToFileHeader 26783->26784 26785 7ff600ff4097 26783->26785 26786 7ff600ff40cc 26784->26786 26787 7ff600ff40db RaiseException 26784->26787 26785->26784 26786->26787 26787->26773 26789->26283 26797 7ff600fd9638 26790->26797 26793 7ff600fd97d9 26795 7ff600ff2320 _handle_error 8 API calls 26793->26795 26794 7ff600fd9800 31 API calls 26794->26793 26796 7ff600fd97f2 26795->26796 26796->26295 26796->26296 26798 7ff600fd9692 26797->26798 26806 7ff600fd9730 26797->26806 26799 7ff600fe0f68 WideCharToMultiByte 26798->26799 26801 7ff600fd96c0 26798->26801 26799->26801 26800 7ff600ff2320 _handle_error 8 API calls 26802 7ff600fd9764 26800->26802 26805 7ff600fd96ef 26801->26805 26807 7ff600fdaa88 45 API calls _snwprintf 26801->26807 26802->26793 26802->26794 26808 7ff600ffa270 31 API calls 2 library calls 26805->26808 26806->26800 26807->26805 26808->26806 26825 7ff600fdd4d0 26809->26825 26813 7ff600ff9ef0 swprintf 46 API calls 26814 7ff600fdd8e5 _snwprintf 26813->26814 26814->26813 26822 7ff600fdd974 26814->26822 26839 7ff600fc9d78 33 API calls 26814->26839 26815 7ff600fdd9a3 26817 7ff600fdda17 26815->26817 26819 7ff600fdda3f 26815->26819 26818 7ff600ff2320 _handle_error 8 API calls 26817->26818 26820 7ff600fdda2b 26818->26820 26821 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26819->26821 26820->26301 26823 7ff600fdda44 26821->26823 26822->26815 26840 7ff600fc9d78 33 API calls 26822->26840 26826 7ff600fdd665 26825->26826 26828 7ff600fdd502 26825->26828 26829 7ff600fdcb80 26826->26829 26827 7ff600fc1744 33 API calls 26827->26828 26828->26826 26828->26827 26830 7ff600fdcc80 26829->26830 26831 7ff600fdcbb6 26829->26831 26841 7ff600fc2004 33 API calls std::_Xinvalid_argument 26830->26841 26834 7ff600fdcc20 26831->26834 26835 7ff600fdcc7b 26831->26835 26838 7ff600fdcbc6 26831->26838 26837 7ff600ff21d0 33 API calls 26834->26837 26834->26838 26836 7ff600fc1f80 Concurrency::cancel_current_task 33 API calls 26835->26836 26836->26830 26837->26838 26838->26814 26839->26814 26840->26815 26843 7ff600feae80 GetDlgItem 26842->26843 26844 7ff600feae3c GetMessageW 26842->26844 26843->26304 26843->26307 26845 7ff600feae6a TranslateMessage DispatchMessageW 26844->26845 26846 7ff600feae5b IsDialogMessageW 26844->26846 26845->26843 26846->26843 26846->26845 26848 7ff600fd36b3 26847->26848 26849 7ff600fd36cc CreateDirectoryW 26848->26849 26851 7ff600fd36e0 26848->26851 26849->26851 26852 7ff600fd377d 26849->26852 26867 7ff600fd32bc 26851->26867 26855 7ff600fd378d 26852->26855 26954 7ff600fd3d34 26852->26954 26854 7ff600fd3791 GetLastError 26854->26855 26859 7ff600ff2320 _handle_error 8 API calls 26855->26859 26862 7ff600fd37b9 26859->26862 26860 7ff600fd3720 CreateDirectoryW 26861 7ff600fd373b 26860->26861 26863 7ff600fd3774 26861->26863 26864 7ff600fd37ce 26861->26864 26862->26323 26863->26852 26863->26854 26865 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26864->26865 26866 7ff600fd37d3 26865->26866 26868 7ff600fd32e4 26867->26868 26869 7ff600fd32e7 GetFileAttributesW 26867->26869 26868->26869 26870 7ff600fd32f8 26869->26870 26877 7ff600fd3375 26869->26877 26871 7ff600fd6a0c 49 API calls 26870->26871 26873 7ff600fd331f 26871->26873 26872 7ff600ff2320 _handle_error 8 API calls 26874 7ff600fd3389 26872->26874 26875 7ff600fd3323 GetFileAttributesW 26873->26875 26876 7ff600fd333c 26873->26876 26874->26854 26881 7ff600fd6a0c 26874->26881 26875->26876 26876->26877 26878 7ff600fd3399 26876->26878 26877->26872 26879 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26878->26879 26880 7ff600fd339e 26879->26880 26882 7ff600fd6a44 26881->26882 26883 7ff600fd6a4b 26881->26883 26884 7ff600ff2320 _handle_error 8 API calls 26882->26884 26886 7ff600fc129c 33 API calls 26883->26886 26885 7ff600fd371c 26884->26885 26885->26860 26885->26861 26887 7ff600fd6a76 26886->26887 26888 7ff600fd6a96 26887->26888 26889 7ff600fd6cc7 26887->26889 26891 7ff600fd6ab0 26888->26891 26892 7ff600fd6b49 26888->26892 26890 7ff600fd62dc 35 API calls 26889->26890 26895 7ff600fd6ce6 26890->26895 26917 7ff600fd70ab 26891->26917 26968 7ff600fcc098 33 API calls 2 library calls 26891->26968 26918 7ff600fc129c 33 API calls 26892->26918 26953 7ff600fd6b44 26892->26953 26894 7ff600fd6eef 26937 7ff600fd70cf 26894->26937 26985 7ff600fcc098 33 API calls 2 library calls 26894->26985 26895->26894 26903 7ff600fd6d1b 26895->26903 26895->26953 26897 7ff600fd70d5 26906 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26897->26906 26898 7ff600fd70b1 26905 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26898->26905 26900 7ff600fd6b03 26914 7ff600fc1fa0 31 API calls 26900->26914 26919 7ff600fd6b15 BuildCatchObjectHelperInternal 26900->26919 26902 7ff600fd70bd 26989 7ff600fc2004 33 API calls std::_Xinvalid_argument 26902->26989 26903->26902 26971 7ff600fcc098 33 API calls 2 library calls 26903->26971 26912 7ff600fd70b7 26905->26912 26913 7ff600fd70db 26906->26913 26907 7ff600fd70a6 26911 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26907->26911 26908 7ff600fd6f56 26986 7ff600fc11cc 33 API calls BuildCatchObjectHelperInternal 26908->26986 26910 7ff600fc1fa0 31 API calls 26910->26953 26911->26917 26922 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26912->26922 26924 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26913->26924 26914->26919 26916 7ff600fd70c3 26921 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26916->26921 26988 7ff600fc2004 33 API calls std::_Xinvalid_argument 26917->26988 26925 7ff600fd6bbe 26918->26925 26919->26910 26920 7ff600fd6f69 26987 7ff600fd57ac 33 API calls BuildCatchObjectHelperInternal 26920->26987 26927 7ff600fd70c9 26921->26927 26922->26902 26923 7ff600fc1fa0 31 API calls 26935 7ff600fd6df5 26923->26935 26929 7ff600fd70e1 26924->26929 26969 7ff600fd5820 33 API calls 26925->26969 26990 7ff600fc704c 47 API calls BuildCatchObjectHelperInternal 26927->26990 26928 7ff600fd6d76 BuildCatchObjectHelperInternal 26928->26916 26928->26923 26931 7ff600fd6bd3 26970 7ff600fce164 33 API calls 2 library calls 26931->26970 26934 7ff600fc1fa0 31 API calls 26938 7ff600fd6fec 26934->26938 26939 7ff600fd6e21 26935->26939 26972 7ff600fc1744 26935->26972 26936 7ff600fd6f79 BuildCatchObjectHelperInternal 26936->26913 26936->26934 26991 7ff600fc2004 33 API calls std::_Xinvalid_argument 26937->26991 26940 7ff600fc1fa0 31 API calls 26938->26940 26939->26927 26944 7ff600fc129c 33 API calls 26939->26944 26943 7ff600fd6ff6 26940->26943 26942 7ff600fc1fa0 31 API calls 26946 7ff600fd6c6d 26942->26946 26947 7ff600fc1fa0 31 API calls 26943->26947 26948 7ff600fd6ec2 26944->26948 26945 7ff600fd6be9 BuildCatchObjectHelperInternal 26945->26912 26945->26942 26949 7ff600fc1fa0 31 API calls 26946->26949 26947->26953 26950 7ff600fc2034 33 API calls 26948->26950 26949->26953 26951 7ff600fd6edf 26950->26951 26952 7ff600fc1fa0 31 API calls 26951->26952 26952->26953 26953->26882 26953->26897 26953->26898 26953->26907 26955 7ff600fd3d5e SetFileAttributesW 26954->26955 26956 7ff600fd3d5b 26954->26956 26957 7ff600fd3d74 26955->26957 26958 7ff600fd3df5 26955->26958 26956->26955 26960 7ff600fd6a0c 49 API calls 26957->26960 26959 7ff600ff2320 _handle_error 8 API calls 26958->26959 26961 7ff600fd3e0a 26959->26961 26962 7ff600fd3d99 26960->26962 26961->26855 26963 7ff600fd3dbc 26962->26963 26964 7ff600fd3d9d SetFileAttributesW 26962->26964 26963->26958 26965 7ff600fd3e1a 26963->26965 26964->26963 26966 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26965->26966 26967 7ff600fd3e1f 26966->26967 26968->26900 26969->26931 26970->26945 26971->26928 26973 7ff600fc18a1 26972->26973 26976 7ff600fc1784 26972->26976 26992 7ff600fc2004 33 API calls std::_Xinvalid_argument 26973->26992 26975 7ff600fc18a7 26977 7ff600fc1f80 Concurrency::cancel_current_task 33 API calls 26975->26977 26976->26975 26979 7ff600ff21d0 33 API calls 26976->26979 26983 7ff600fc17ac BuildCatchObjectHelperInternal 26976->26983 26978 7ff600fc18ad 26977->26978 26993 7ff600ff354c 31 API calls __std_exception_copy 26978->26993 26979->26983 26981 7ff600fc18d9 26981->26939 26982 7ff600fc1859 BuildCatchObjectHelperInternal 26982->26939 26983->26982 26984 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 26983->26984 26984->26973 26985->26908 26986->26920 26987->26936 26990->26937 26993->26981 26995 7ff600fc7206 26994->26995 26996 7ff600fc713b 26994->26996 27004 7ff600fc704c 47 API calls BuildCatchObjectHelperInternal 26995->27004 27002 7ff600fc714b BuildCatchObjectHelperInternal 26996->27002 27003 7ff600fc3f48 33 API calls 2 library calls 26996->27003 26999 7ff600fc720b 27000 7ff600fc7273 26999->27000 27005 7ff600fc889c 8 API calls BuildCatchObjectHelperInternal 26999->27005 27000->26339 27002->26339 27003->27002 27004->26999 27005->26999 27007 7ff600fd20ea 27006->27007 27008 7ff600fd2102 27006->27008 27007->27008 27010 7ff600fd20f6 CloseHandle 27007->27010 27009 7ff600fd2126 27008->27009 27012 7ff600fcb544 99 API calls 27008->27012 27009->26363 27010->27008 27012->27009 27014 7ff600feaa2f 27013->27014 27015 7ff600feaa36 27013->27015 27014->26507 27015->27014 27016 7ff600fc1744 33 API calls 27015->27016 27016->27015 27017->26507 27019 7ff600fea47f 27018->27019 27041 7ff600fea706 27018->27041 27149 7ff600fecdf8 33 API calls 27019->27149 27021 7ff600ff2320 _handle_error 8 API calls 27023 7ff600fea717 27021->27023 27022 7ff600fea49e 27024 7ff600fc129c 33 API calls 27022->27024 27023->26448 27025 7ff600fea4de 27024->27025 27026 7ff600fc129c 33 API calls 27025->27026 27027 7ff600fea517 27026->27027 27028 7ff600fc129c 33 API calls 27027->27028 27029 7ff600fea54a 27028->27029 27150 7ff600fea834 33 API calls _invalid_parameter_noinfo_noreturn 27029->27150 27031 7ff600fea734 27032 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27031->27032 27033 7ff600fea73a 27032->27033 27034 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27033->27034 27035 7ff600fea740 27034->27035 27037 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27035->27037 27036 7ff600fea573 27036->27031 27036->27033 27036->27035 27038 7ff600fc20b0 33 API calls 27036->27038 27040 7ff600fea685 27036->27040 27039 7ff600fea746 27037->27039 27038->27040 27043 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27039->27043 27040->27039 27040->27041 27042 7ff600fea72f 27040->27042 27041->27021 27045 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27042->27045 27044 7ff600fea74c 27043->27044 27046 7ff600fc255c 61 API calls 27044->27046 27045->27031 27047 7ff600fea795 27046->27047 27048 7ff600fea7b1 27047->27048 27049 7ff600fea801 SetDlgItemTextW 27047->27049 27053 7ff600fea7a1 27047->27053 27050 7ff600ff2320 _handle_error 8 API calls 27048->27050 27049->27048 27051 7ff600fea827 27050->27051 27051->26448 27052 7ff600fea7ad 27052->27048 27054 7ff600fea7b7 EndDialog 27052->27054 27053->27048 27053->27052 27151 7ff600fdbb00 102 API calls 27053->27151 27054->27048 27061 7ff600fef529 __scrt_get_show_window_mode 27056->27061 27074 7ff600fef87d 27056->27074 27057 7ff600fc1fa0 31 API calls 27058 7ff600fef89c 27057->27058 27059 7ff600ff2320 _handle_error 8 API calls 27058->27059 27060 7ff600fef8a8 27059->27060 27060->26453 27062 7ff600fef684 27061->27062 27152 7ff600fe13c4 CompareStringW 27061->27152 27064 7ff600fc129c 33 API calls 27062->27064 27065 7ff600fef6c0 27064->27065 27066 7ff600fd32a8 51 API calls 27065->27066 27067 7ff600fef6ca 27066->27067 27068 7ff600fc1fa0 31 API calls 27067->27068 27071 7ff600fef6d5 27068->27071 27069 7ff600fef742 ShellExecuteExW 27070 7ff600fef846 27069->27070 27076 7ff600fef755 27069->27076 27070->27074 27078 7ff600fef8fb 27070->27078 27071->27069 27073 7ff600fc129c 33 API calls 27071->27073 27072 7ff600fef78e 27154 7ff600fefe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 27072->27154 27077 7ff600fef717 27073->27077 27074->27057 27075 7ff600fef7e3 CloseHandle 27079 7ff600fef7f2 27075->27079 27087 7ff600fef801 27075->27087 27076->27072 27076->27075 27083 7ff600fef781 ShowWindow 27076->27083 27153 7ff600fd5b60 53 API calls 2 library calls 27077->27153 27081 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27078->27081 27155 7ff600fe13c4 CompareStringW 27079->27155 27086 7ff600fef900 27081->27086 27083->27072 27085 7ff600fef725 27089 7ff600fc1fa0 31 API calls 27085->27089 27087->27070 27090 7ff600fef837 ShowWindow 27087->27090 27088 7ff600fef7a6 27088->27075 27092 7ff600fef7b4 GetExitCodeProcess 27088->27092 27091 7ff600fef72f 27089->27091 27090->27070 27091->27069 27092->27075 27093 7ff600fef7c7 27092->27093 27093->27075 27094->26507 27095->26507 27096->26507 27097->26507 27098->26507 27099->26507 27100->26507 27101->26507 27102->26507 27103->26507 27105 7ff600fd72ea 27104->27105 27156 7ff600fcb3a8 27105->27156 27109 7ff600fd31e4 27108->27109 27110 7ff600fd31e7 DeleteFileW 27108->27110 27109->27110 27111 7ff600fd31fd 27110->27111 27118 7ff600fd327c 27110->27118 27112 7ff600fd6a0c 49 API calls 27111->27112 27114 7ff600fd3222 27112->27114 27113 7ff600ff2320 _handle_error 8 API calls 27115 7ff600fd3291 27113->27115 27116 7ff600fd3243 27114->27116 27117 7ff600fd3226 DeleteFileW 27114->27117 27115->26507 27116->27118 27119 7ff600fd32a1 27116->27119 27117->27116 27118->27113 27120 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27119->27120 27121 7ff600fd32a6 27120->27121 27123->26507 27124->26507 27125->26507 27126->26507 27128 7ff600fd7e0c 27127->27128 27129 7ff600fd7e23 27128->27129 27130 7ff600fd7e55 27128->27130 27132 7ff600fc129c 33 API calls 27129->27132 27160 7ff600fc704c 47 API calls BuildCatchObjectHelperInternal 27130->27160 27134 7ff600fd7e47 27132->27134 27133 7ff600fd7e5a 27134->26507 27135->26507 27136->26507 27139 7ff600fdd25e 27137->27139 27138 7ff600fdd292 27138->26473 27139->27138 27140 7ff600fc1744 33 API calls 27139->27140 27140->27139 27141->26406 27143->26372 27144->26376 27145->26379 27146->26431 27149->27022 27150->27036 27151->27052 27152->27062 27153->27085 27154->27088 27155->27087 27159 7ff600fcb3f2 __scrt_get_show_window_mode 27156->27159 27157 7ff600ff2320 _handle_error 8 API calls 27158 7ff600fcb4b6 27157->27158 27158->26507 27159->27157 27160->27133 27217 7ff600fd86ec 27161->27217 27163 7ff600fce3c4 27223 7ff600fce600 27163->27223 27165 7ff600fce4d4 27167 7ff600ff21d0 33 API calls 27165->27167 27166 7ff600fce454 27166->27165 27168 7ff600fce549 27166->27168 27169 7ff600fce4f0 27167->27169 27170 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27168->27170 27229 7ff600fe3148 102 API calls 27169->27229 27171 7ff600fce54e 27170->27171 27175 7ff600fd18c2 27171->27175 27177 7ff600fd190d 27171->27177 27179 7ff600fc1fa0 31 API calls 27171->27179 27173 7ff600fce51d 27174 7ff600ff2320 _handle_error 8 API calls 27173->27174 27176 7ff600fce52d 27174->27176 27175->27177 27178 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27175->27178 27176->26522 27177->26522 27180 7ff600fd193b 27178->27180 27179->27171 27182 7ff600fce7ea 27181->27182 27183 7ff600fce864 27182->27183 27187 7ff600fce8a1 27182->27187 27230 7ff600fd3ec8 27182->27230 27185 7ff600fce993 27183->27185 27183->27187 27188 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27185->27188 27186 7ff600fce900 27193 7ff600fce955 27186->27193 27273 7ff600fc28a4 82 API calls 2 library calls 27186->27273 27187->27186 27237 7ff600fcf578 27187->27237 27191 7ff600fce998 27188->27191 27190 7ff600ff2320 _handle_error 8 API calls 27192 7ff600fce97e 27190->27192 27195 7ff600fce578 27192->27195 27193->27190 28253 7ff600fd15d8 27195->28253 27198 7ff600fce59e 27200 7ff600fc1fa0 31 API calls 27198->27200 27199 7ff600fe1870 108 API calls 27199->27198 27201 7ff600fce5b7 27200->27201 27202 7ff600fc1fa0 31 API calls 27201->27202 27203 7ff600fce5c3 27202->27203 27204 7ff600fc1fa0 31 API calls 27203->27204 27205 7ff600fce5cf 27204->27205 27206 7ff600fd878c 108 API calls 27205->27206 27207 7ff600fce5db 27206->27207 27208 7ff600fc1fa0 31 API calls 27207->27208 27209 7ff600fce5e4 27208->27209 27210 7ff600fc1fa0 31 API calls 27209->27210 27213 7ff600fce5ed 27210->27213 27211 7ff600fd18c2 27212 7ff600fd190d 27211->27212 27214 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27211->27214 27212->26526 27213->27211 27213->27212 27215 7ff600fc1fa0 31 API calls 27213->27215 27216 7ff600fd193b 27214->27216 27215->27213 27218 7ff600fd870a 27217->27218 27219 7ff600ff21d0 33 API calls 27218->27219 27220 7ff600fd872f 27219->27220 27221 7ff600ff21d0 33 API calls 27220->27221 27222 7ff600fd8759 27221->27222 27222->27163 27224 7ff600fce627 27223->27224 27226 7ff600fce62c BuildCatchObjectHelperInternal 27223->27226 27225 7ff600fc1fa0 31 API calls 27224->27225 27225->27226 27227 7ff600fc1fa0 31 API calls 27226->27227 27228 7ff600fce668 BuildCatchObjectHelperInternal 27226->27228 27227->27228 27228->27166 27229->27173 27231 7ff600fd72cc 8 API calls 27230->27231 27232 7ff600fd3ee1 27231->27232 27233 7ff600fd3f0f 27232->27233 27274 7ff600fd40bc 27232->27274 27233->27182 27236 7ff600fd3efa FindClose 27236->27233 27238 7ff600fcf598 _snwprintf 27237->27238 27313 7ff600fc2950 27238->27313 27242 7ff600fcf5cc 27245 7ff600fcf5fc 27242->27245 27328 7ff600fc33e4 27242->27328 27244 7ff600fcf5f8 27244->27245 27360 7ff600fc3ad8 27244->27360 27563 7ff600fc2c54 27245->27563 27252 7ff600fcf7cb 27370 7ff600fcf8a4 27252->27370 27254 7ff600fc8d04 33 API calls 27255 7ff600fcf662 27254->27255 27583 7ff600fd7918 48 API calls 2 library calls 27255->27583 27257 7ff600fcf677 27259 7ff600fd3ec8 55 API calls 27257->27259 27263 7ff600fcf6ad 27259->27263 27260 7ff600fcf842 27260->27245 27375 7ff600fc69f8 27260->27375 27386 7ff600fcf930 27260->27386 27266 7ff600fcf89a 27263->27266 27267 7ff600fcf74d 27263->27267 27270 7ff600fd3ec8 55 API calls 27263->27270 27584 7ff600fd7918 48 API calls 2 library calls 27263->27584 27268 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27266->27268 27267->27252 27267->27266 27269 7ff600fcf895 27267->27269 27272 7ff600fcf8a0 27268->27272 27271 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27269->27271 27270->27263 27271->27266 27273->27193 27275 7ff600fd41d2 FindNextFileW 27274->27275 27276 7ff600fd40f9 FindFirstFileW 27274->27276 27278 7ff600fd41f3 27275->27278 27279 7ff600fd41e1 GetLastError 27275->27279 27276->27278 27280 7ff600fd411e 27276->27280 27281 7ff600fd4211 27278->27281 27284 7ff600fc20b0 33 API calls 27278->27284 27298 7ff600fd41c0 27279->27298 27282 7ff600fd6a0c 49 API calls 27280->27282 27289 7ff600fc129c 33 API calls 27281->27289 27283 7ff600fd4144 27282->27283 27286 7ff600fd4167 27283->27286 27287 7ff600fd4148 FindFirstFileW 27283->27287 27284->27281 27285 7ff600ff2320 _handle_error 8 API calls 27288 7ff600fd3ef4 27285->27288 27286->27278 27291 7ff600fd41af GetLastError 27286->27291 27293 7ff600fd4314 27286->27293 27287->27286 27288->27233 27288->27236 27290 7ff600fd423b 27289->27290 27300 7ff600fd8090 27290->27300 27291->27298 27295 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27293->27295 27296 7ff600fd431a 27295->27296 27297 7ff600fd430f 27299 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27297->27299 27298->27285 27299->27293 27301 7ff600fd80a5 27300->27301 27304 7ff600fd8188 27301->27304 27303 7ff600fd4249 27303->27297 27303->27298 27305 7ff600fd8326 27304->27305 27308 7ff600fd81ba 27304->27308 27312 7ff600fc704c 47 API calls BuildCatchObjectHelperInternal 27305->27312 27307 7ff600fd832b 27310 7ff600fd81d4 BuildCatchObjectHelperInternal 27308->27310 27311 7ff600fd58a4 33 API calls 2 library calls 27308->27311 27310->27303 27311->27310 27312->27307 27314 7ff600fc296c 27313->27314 27315 7ff600fd86ec 33 API calls 27314->27315 27316 7ff600fc298d 27315->27316 27317 7ff600ff21d0 33 API calls 27316->27317 27318 7ff600fc2ac2 27316->27318 27319 7ff600fc2ab0 27317->27319 27593 7ff600fd4d04 27318->27593 27319->27318 27586 7ff600fc91c8 27319->27586 27323 7ff600fd2ca8 27625 7ff600fd24c0 27323->27625 27325 7ff600fd2cc5 27325->27242 27644 7ff600fd28d0 27328->27644 27329 7ff600fc3674 27663 7ff600fc28a4 82 API calls 2 library calls 27329->27663 27330 7ff600fc3431 __scrt_get_show_window_mode 27337 7ff600fc344e 27330->27337 27340 7ff600fc3601 27330->27340 27649 7ff600fd2bb0 27330->27649 27332 7ff600fc69f8 132 API calls 27334 7ff600fc3682 27332->27334 27334->27332 27335 7ff600fc370c 27334->27335 27334->27340 27356 7ff600fd2aa0 101 API calls 27334->27356 27339 7ff600fc3740 27335->27339 27335->27340 27664 7ff600fc28a4 82 API calls 2 library calls 27335->27664 27337->27329 27337->27334 27338 7ff600fc35cb 27338->27337 27341 7ff600fc35d7 27338->27341 27339->27340 27344 7ff600fc384d 27339->27344 27357 7ff600fd2bb0 101 API calls 27339->27357 27340->27244 27341->27340 27342 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27341->27342 27345 7ff600fc3891 27342->27345 27343 7ff600fc34eb 27343->27338 27658 7ff600fd2aa0 27343->27658 27344->27340 27346 7ff600fc20b0 33 API calls 27344->27346 27345->27244 27346->27340 27347 7ff600fc69f8 132 API calls 27349 7ff600fc378e 27347->27349 27349->27347 27350 7ff600fc3803 27349->27350 27359 7ff600fd2aa0 101 API calls 27349->27359 27352 7ff600fd2aa0 101 API calls 27350->27352 27352->27344 27355 7ff600fd28d0 104 API calls 27355->27343 27356->27334 27357->27349 27358 7ff600fd28d0 104 API calls 27358->27338 27359->27349 27361 7ff600fc3af9 27360->27361 27362 7ff600fc3b55 27360->27362 27676 7ff600fc3378 27361->27676 27363 7ff600ff2320 _handle_error 8 API calls 27362->27363 27366 7ff600fc3b67 27363->27366 27366->27252 27366->27254 27367 7ff600fc3b6c 27368 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27367->27368 27369 7ff600fc3b71 27368->27369 27906 7ff600fd886c 27370->27906 27372 7ff600fcf8ba 27910 7ff600fdef60 GetSystemTime SystemTimeToFileTime 27372->27910 27376 7ff600fc6a0e 27375->27376 27381 7ff600fc6a0a 27375->27381 27385 7ff600fd2bb0 101 API calls 27376->27385 27377 7ff600fc6a1b 27378 7ff600fc6a2f 27377->27378 27379 7ff600fc6a3e 27377->27379 27378->27381 27919 7ff600fc5e24 27378->27919 27981 7ff600fc5130 130 API calls 2 library calls 27379->27981 27381->27260 27382 7ff600fc6a3c 27382->27381 27982 7ff600fc466c 82 API calls 27382->27982 27385->27377 27387 7ff600fcf978 27386->27387 27390 7ff600fcf9b0 27387->27390 27394 7ff600fcfa34 27387->27394 28096 7ff600fe612c 137 API calls 3 library calls 27387->28096 27389 7ff600fd1189 27391 7ff600fd118e 27389->27391 27392 7ff600fd11e1 27389->27392 27390->27389 27390->27394 27398 7ff600fcf9d0 27390->27398 27391->27394 28144 7ff600fcdd08 179 API calls 27391->28144 27392->27394 28145 7ff600fe612c 137 API calls 3 library calls 27392->28145 27393 7ff600ff2320 _handle_error 8 API calls 27395 7ff600fd11c4 27393->27395 27394->27393 27395->27260 27398->27394 28011 7ff600fc9bb0 27398->28011 27400 7ff600fcfad6 28024 7ff600fd5ef8 27400->28024 27564 7ff600fc2c88 27563->27564 27565 7ff600fc2c74 27563->27565 27566 7ff600fc1fa0 31 API calls 27564->27566 27565->27564 28232 7ff600fc2d80 108 API calls _invalid_parameter_noinfo_noreturn 27565->28232 27569 7ff600fc2ca1 27566->27569 27582 7ff600fc2d64 27569->27582 28233 7ff600fc3090 31 API calls _invalid_parameter_noinfo_noreturn 27569->28233 27570 7ff600fc2d08 28234 7ff600fc3090 31 API calls _invalid_parameter_noinfo_noreturn 27570->28234 27571 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27573 7ff600fc2d7c 27571->27573 27574 7ff600fc2d14 27575 7ff600fc1fa0 31 API calls 27574->27575 27576 7ff600fc2d20 27575->27576 28235 7ff600fd878c 27576->28235 27582->27571 27583->27257 27584->27263 27585 7ff600fe0994 83 API calls _handle_error 27585->27260 27603 7ff600fd56a4 27586->27603 27588 7ff600fc91df 27606 7ff600fdb788 27588->27606 27592 7ff600fc9383 27592->27318 27594 7ff600fd4d32 __scrt_get_show_window_mode 27593->27594 27621 7ff600fd4bac 27594->27621 27596 7ff600fd4d54 27597 7ff600fd4d90 27596->27597 27599 7ff600fd4dae 27596->27599 27598 7ff600ff2320 _handle_error 8 API calls 27597->27598 27600 7ff600fc2b32 27598->27600 27601 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27599->27601 27600->27242 27600->27323 27602 7ff600fd4db3 27601->27602 27612 7ff600fd56e8 27603->27612 27607 7ff600fc13a4 33 API calls 27606->27607 27608 7ff600fc9365 27607->27608 27609 7ff600fc9a28 27608->27609 27610 7ff600fd56e8 2 API calls 27609->27610 27611 7ff600fc9a36 27610->27611 27611->27592 27613 7ff600fd56fe __scrt_get_show_window_mode 27612->27613 27616 7ff600fdeba4 27613->27616 27619 7ff600fdeb58 GetCurrentProcess GetProcessAffinityMask 27616->27619 27620 7ff600fd56de 27619->27620 27620->27588 27622 7ff600fd4c2f BuildCatchObjectHelperInternal 27621->27622 27623 7ff600fd4c27 27621->27623 27622->27596 27624 7ff600fc1fa0 31 API calls 27623->27624 27624->27622 27626 7ff600fd24fd CreateFileW 27625->27626 27628 7ff600fd25ae GetLastError 27626->27628 27635 7ff600fd266e 27626->27635 27629 7ff600fd6a0c 49 API calls 27628->27629 27630 7ff600fd25dc 27629->27630 27631 7ff600fd25e0 CreateFileW GetLastError 27630->27631 27637 7ff600fd262c 27630->27637 27631->27637 27632 7ff600fd26b1 SetFileTime 27633 7ff600fd26cf 27632->27633 27634 7ff600fd2708 27633->27634 27639 7ff600fc20b0 33 API calls 27633->27639 27636 7ff600ff2320 _handle_error 8 API calls 27634->27636 27635->27632 27635->27633 27638 7ff600fd271b 27636->27638 27637->27635 27640 7ff600fd2736 27637->27640 27638->27325 27643 7ff600fcb7e8 99 API calls 2 library calls 27638->27643 27639->27634 27641 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27640->27641 27642 7ff600fd273b 27641->27642 27643->27325 27645 7ff600fd28f6 27644->27645 27647 7ff600fd28fd 27644->27647 27645->27330 27647->27645 27648 7ff600fd2320 GetStdHandle ReadFile GetLastError GetLastError GetFileType 27647->27648 27665 7ff600fcb8a4 99 API calls std::_Xinvalid_argument 27647->27665 27648->27647 27650 7ff600fd2be9 27649->27650 27651 7ff600fd2bcd 27649->27651 27653 7ff600fd2c01 SetFilePointer 27650->27653 27655 7ff600fc34cc 27650->27655 27651->27655 27666 7ff600fcb9c4 99 API calls std::_Xinvalid_argument 27651->27666 27654 7ff600fd2c1e GetLastError 27653->27654 27653->27655 27654->27655 27656 7ff600fd2c28 27654->27656 27655->27355 27656->27655 27667 7ff600fcb9c4 99 API calls std::_Xinvalid_argument 27656->27667 27668 7ff600fd2778 27658->27668 27661 7ff600fc35a7 27661->27338 27661->27358 27663->27340 27664->27339 27674 7ff600fd2789 _snwprintf 27668->27674 27669 7ff600fd2890 SetFilePointer 27671 7ff600fd27b5 27669->27671 27673 7ff600fd28b8 GetLastError 27669->27673 27670 7ff600ff2320 _handle_error 8 API calls 27672 7ff600fd281d 27670->27672 27671->27670 27672->27661 27675 7ff600fcb9c4 99 API calls std::_Xinvalid_argument 27672->27675 27673->27671 27674->27669 27674->27671 27677 7ff600fc3396 27676->27677 27678 7ff600fc339a 27676->27678 27677->27362 27677->27367 27682 7ff600fc3294 27678->27682 27681 7ff600fd2aa0 101 API calls 27681->27677 27683 7ff600fc32bb 27682->27683 27685 7ff600fc32f6 27682->27685 27684 7ff600fc69f8 132 API calls 27683->27684 27688 7ff600fc32db 27684->27688 27690 7ff600fc6e74 27685->27690 27688->27681 27694 7ff600fc6e95 27690->27694 27691 7ff600fc69f8 132 API calls 27691->27694 27692 7ff600fc331d 27692->27688 27695 7ff600fc3904 27692->27695 27694->27691 27694->27692 27722 7ff600fde808 27694->27722 27730 7ff600fc6a7c 27695->27730 27698 7ff600fc396a 27701 7ff600fc3989 27698->27701 27702 7ff600fc399a 27698->27702 27699 7ff600fc3a8a 27703 7ff600ff2320 _handle_error 8 API calls 27699->27703 27762 7ff600fe0d54 27701->27762 27707 7ff600fc39a3 27702->27707 27708 7ff600fc39ec 27702->27708 27706 7ff600fc3a9e 27703->27706 27704 7ff600fc3ab3 27709 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27704->27709 27706->27688 27767 7ff600fe0c80 33 API calls 27707->27767 27768 7ff600fc26b4 33 API calls BuildCatchObjectHelperInternal 27708->27768 27711 7ff600fc3ab8 27709->27711 27716 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27711->27716 27712 7ff600fc39b0 27717 7ff600fc1fa0 31 API calls 27712->27717 27720 7ff600fc39c0 BuildCatchObjectHelperInternal 27712->27720 27714 7ff600fc1fa0 31 API calls 27721 7ff600fc394f 27714->27721 27715 7ff600fc3a13 27769 7ff600fe0ae8 34 API calls _invalid_parameter_noinfo_noreturn 27715->27769 27719 7ff600fc3abe 27716->27719 27717->27720 27720->27714 27721->27699 27721->27704 27721->27711 27723 7ff600fde811 27722->27723 27724 7ff600fde82b 27723->27724 27728 7ff600fcb664 RtlPcToFileHeader RaiseException std::_Xinvalid_argument 27723->27728 27725 7ff600fde845 SetThreadExecutionState 27724->27725 27729 7ff600fcb664 RtlPcToFileHeader RaiseException std::_Xinvalid_argument 27724->27729 27728->27724 27729->27725 27731 7ff600fc6a96 _snwprintf 27730->27731 27732 7ff600fc6ae4 27731->27732 27733 7ff600fc6ac4 27731->27733 27735 7ff600fc6d4d 27732->27735 27738 7ff600fc6b0f 27732->27738 27808 7ff600fc28a4 82 API calls 2 library calls 27733->27808 27837 7ff600fc28a4 82 API calls 2 library calls 27735->27837 27737 7ff600fc6ad0 27739 7ff600ff2320 _handle_error 8 API calls 27737->27739 27738->27737 27770 7ff600fe1f94 27738->27770 27740 7ff600fc394b 27739->27740 27740->27698 27740->27721 27766 7ff600fc2794 33 API calls __std_swap_ranges_trivially_swappable 27740->27766 27743 7ff600fc6b85 27744 7ff600fc6c2a 27743->27744 27761 7ff600fc6b7b 27743->27761 27814 7ff600fd8968 109 API calls 27743->27814 27779 7ff600fd4760 27744->27779 27745 7ff600fc6b80 27745->27743 27810 7ff600fc40b0 27745->27810 27746 7ff600fc6b6e 27809 7ff600fc28a4 82 API calls 2 library calls 27746->27809 27752 7ff600fc6c52 27753 7ff600fc6cd1 27752->27753 27754 7ff600fc6cc7 27752->27754 27815 7ff600fe1f20 27753->27815 27783 7ff600fd1794 27754->27783 27757 7ff600fc6ccf 27798 7ff600fe1870 27761->27798 27764 7ff600fe0d8c 27762->27764 27763 7ff600fe0f48 27763->27721 27764->27763 27765 7ff600fc1744 33 API calls 27764->27765 27765->27764 27766->27698 27767->27712 27768->27715 27769->27721 27771 7ff600fe2056 std::bad_alloc::bad_alloc 27770->27771 27773 7ff600fe1fc5 std::bad_alloc::bad_alloc 27770->27773 27772 7ff600ff4078 std::_Xinvalid_argument 2 API calls 27771->27772 27772->27773 27774 7ff600fe200f std::bad_alloc::bad_alloc 27773->27774 27775 7ff600ff4078 std::_Xinvalid_argument 2 API calls 27773->27775 27776 7ff600fc6b59 27773->27776 27774->27776 27777 7ff600ff4078 std::_Xinvalid_argument 2 API calls 27774->27777 27775->27774 27776->27743 27776->27745 27776->27746 27778 7ff600fe20a9 27777->27778 27780 7ff600fd4780 27779->27780 27782 7ff600fd478a 27779->27782 27781 7ff600ff21d0 33 API calls 27780->27781 27781->27782 27782->27752 27784 7ff600fd17be __scrt_get_show_window_mode 27783->27784 27838 7ff600fd8a48 27784->27838 27799 7ff600fe188e 27798->27799 27801 7ff600fe18a1 27799->27801 27858 7ff600fde948 27799->27858 27805 7ff600fe18d8 27801->27805 27854 7ff600ff236c 27801->27854 27803 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 27804 7ff600fe1ad0 27803->27804 27807 7ff600fe1a37 27805->27807 27865 7ff600fda984 31 API calls _invalid_parameter_noinfo_noreturn 27805->27865 27807->27803 27808->27737 27809->27761 27811 7ff600fc40dd 27810->27811 27813 7ff600fc40d7 __scrt_get_show_window_mode 27810->27813 27811->27813 27866 7ff600fc4120 27811->27866 27813->27743 27814->27744 27816 7ff600fe1f29 27815->27816 27817 7ff600fe1f5d 27816->27817 27818 7ff600fe1f55 27816->27818 27820 7ff600fe1f49 27816->27820 27817->27757 27902 7ff600fe3964 151 API calls 27818->27902 27872 7ff600fe20ac 27820->27872 27837->27737 27840 7ff600fd8bcd 27838->27840 27845 7ff600fd8a91 BuildCatchObjectHelperInternal 27838->27845 27839 7ff600fd8c1a 27840->27839 27842 7ff600fca174 8 API calls 27840->27842 27842->27839 27845->27840 27855 7ff600ff239f 27854->27855 27856 7ff600ff23c8 27855->27856 27857 7ff600fe1870 108 API calls 27855->27857 27856->27805 27857->27855 27859 7ff600fdecd8 103 API calls 27858->27859 27860 7ff600fde95f ReleaseSemaphore 27859->27860 27861 7ff600fde9a3 DeleteCriticalSection CloseHandle CloseHandle 27860->27861 27862 7ff600fde984 27860->27862 27863 7ff600fdea5c 101 API calls 27862->27863 27864 7ff600fde98e CloseHandle 27863->27864 27864->27861 27864->27862 27865->27807 27869 7ff600fc4149 27866->27869 27871 7ff600fc4168 __std_swap_ranges_trivially_swappable __scrt_get_show_window_mode 27866->27871 27867 7ff600fc2018 33 API calls 27868 7ff600fc41eb 27867->27868 27870 7ff600ff21d0 33 API calls 27869->27870 27869->27871 27870->27871 27871->27867 27874 7ff600fe20c8 __scrt_get_show_window_mode 27872->27874 27902->27817 27907 7ff600fd8882 27906->27907 27908 7ff600fd8892 27906->27908 27913 7ff600fd23f0 27907->27913 27908->27372 27911 7ff600ff2320 _handle_error 8 API calls 27910->27911 27912 7ff600fcf7dc 27911->27912 27912->27260 27912->27585 27914 7ff600fd240f 27913->27914 27917 7ff600fd2aa0 101 API calls 27914->27917 27915 7ff600fd2428 27918 7ff600fd2bb0 101 API calls 27915->27918 27916 7ff600fd2438 27916->27908 27917->27915 27918->27916 27920 7ff600fc5e67 27919->27920 27983 7ff600fd85f0 27920->27983 27922 7ff600fc6134 27993 7ff600fc6fcc 82 API calls 27922->27993 27924 7ff600fc613c 27928 7ff600fc6973 28005 7ff600fc466c 82 API calls 27928->28005 27931 7ff600fc612e 27931->27922 27931->27928 27935 7ff600fd85f0 104 API calls 27931->27935 27936 7ff600fc61a4 27935->27936 27936->27922 27940 7ff600fc61ac 27936->27940 27941 7ff600fc623f 27940->27941 27994 7ff600fc466c 82 API calls 27940->27994 27941->27928 27981->27382 27984 7ff600fd8614 27983->27984 27985 7ff600fd869a 27983->27985 27986 7ff600fc40b0 33 API calls 27984->27986 27989 7ff600fd867c 27984->27989 27987 7ff600fc40b0 33 API calls 27985->27987 27985->27989 27990 7ff600fd864d 27986->27990 27988 7ff600fd86b3 27987->27988 27992 7ff600fd28d0 104 API calls 27988->27992 27989->27931 28006 7ff600fca174 27990->28006 27992->27989 27993->27924 28007 7ff600fca185 28006->28007 28008 7ff600fca19a 28007->28008 28010 7ff600fdaf18 8 API calls 2 library calls 28007->28010 28008->27989 28010->28008 28012 7ff600fc9be7 28011->28012 28016 7ff600fc9c83 28012->28016 28019 7ff600fc9c1b 28012->28019 28020 7ff600fc9cae 28012->28020 28146 7ff600fd5294 28012->28146 28164 7ff600fddb60 28012->28164 28013 7ff600ff2320 _handle_error 8 API calls 28014 7ff600fc9c9d 28013->28014 28014->27400 28018 7ff600fc1fa0 31 API calls 28016->28018 28018->28019 28019->28013 28021 7ff600fc9cbf 28020->28021 28168 7ff600fdda48 CompareStringW 28020->28168 28021->28016 28023 7ff600fc20b0 33 API calls 28021->28023 28023->28016 28037 7ff600fd5f3a 28024->28037 28025 7ff600fd619b 28026 7ff600ff2320 _handle_error 8 API calls 28025->28026 28027 7ff600fd61ce 28172 7ff600fc704c 47 API calls BuildCatchObjectHelperInternal 28027->28172 28030 7ff600fc129c 33 API calls 28032 7ff600fd6129 28030->28032 28033 7ff600fc1fa0 31 API calls 28032->28033 28034 7ff600fd613b BuildCatchObjectHelperInternal 28032->28034 28033->28034 28034->28025 28037->28025 28037->28027 28037->28030 28096->27390 28144->27394 28145->27394 28147 7ff600fd52d4 28146->28147 28152 7ff600fd5312 __vcrt_InitializeCriticalSectionEx 28147->28152 28159 7ff600fd5339 __vcrt_InitializeCriticalSectionEx 28147->28159 28169 7ff600fe13f4 CompareStringW 28147->28169 28148 7ff600ff2320 _handle_error 8 API calls 28150 7ff600fd5503 28148->28150 28150->28012 28153 7ff600fd5382 __vcrt_InitializeCriticalSectionEx 28152->28153 28152->28159 28170 7ff600fe13f4 CompareStringW 28152->28170 28154 7ff600fc129c 33 API calls 28153->28154 28155 7ff600fd5439 28153->28155 28153->28159 28156 7ff600fd5426 28154->28156 28157 7ff600fd551b 28155->28157 28158 7ff600fd5489 28155->28158 28160 7ff600fd72cc 8 API calls 28156->28160 28162 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 28157->28162 28158->28159 28171 7ff600fe13f4 CompareStringW 28158->28171 28159->28148 28160->28155 28163 7ff600fd5520 28162->28163 28166 7ff600fddb73 28164->28166 28165 7ff600fddb91 28165->28012 28166->28165 28167 7ff600fc20b0 33 API calls 28166->28167 28167->28165 28168->28021 28169->28152 28170->28153 28171->28159 28232->27564 28233->27570 28234->27574 28236 7ff600fd87af 28235->28236 28237 7ff600fd87df 28235->28237 28238 7ff600ff236c 108 API calls 28236->28238 28239 7ff600ff236c 108 API calls 28237->28239 28247 7ff600fd882b 28237->28247 28241 7ff600fd87ca 28238->28241 28242 7ff600fd8814 28239->28242 28244 7ff600ff236c 108 API calls 28241->28244 28245 7ff600ff236c 108 API calls 28242->28245 28243 7ff600fd8845 28246 7ff600fd461c 108 API calls 28243->28246 28244->28237 28245->28247 28248 7ff600fd8851 28246->28248 28249 7ff600fd461c 28247->28249 28250 7ff600fd4632 28249->28250 28252 7ff600fd463a 28249->28252 28251 7ff600fde948 108 API calls 28250->28251 28251->28252 28252->28243 28254 7ff600fd163e 28253->28254 28255 7ff600fd1681 28253->28255 28254->28255 28257 7ff600fd31bc 51 API calls 28254->28257 28258 7ff600fc1fa0 31 API calls 28255->28258 28263 7ff600fd16a0 28255->28263 28256 7ff600fce600 31 API calls 28259 7ff600fd16de 28256->28259 28257->28254 28258->28255 28260 7ff600fd175b 28259->28260 28261 7ff600fd178d 28259->28261 28262 7ff600ff2320 _handle_error 8 API calls 28260->28262 28265 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 28261->28265 28264 7ff600fce58a 28262->28264 28263->28256 28264->27198 28264->27199 28266 7ff600fd1792 28265->28266 28268 7ff600fe84cc 4 API calls 28267->28268 28269 7ff600fe84aa 28268->28269 28270 7ff600fe84b9 28269->28270 28279 7ff600fe8504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28269->28279 28270->26533 28270->26534 28272->26539 28273->26545 28275 7ff600fe84de 28274->28275 28276 7ff600fe84e3 28274->28276 28280 7ff600fe8590 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28275->28280 28276->26545 28278->26548 28279->28270 28280->28276 28282->26598 28283->26613 28284->26621 28286->26626 28288 7ff600ff1491 28289 7ff600ff13c9 28288->28289 28291 7ff600ff1900 28289->28291 28317 7ff600ff1558 28291->28317 28294 7ff600ff198b 28295 7ff600ff1868 DloadReleaseSectionWriteAccess 6 API calls 28294->28295 28296 7ff600ff1998 RaiseException 28295->28296 28310 7ff600ff1bb5 28296->28310 28297 7ff600ff1a3d LoadLibraryExA 28298 7ff600ff1a54 GetLastError 28297->28298 28299 7ff600ff1aa9 28297->28299 28304 7ff600ff1a7e 28298->28304 28305 7ff600ff1a69 28298->28305 28300 7ff600ff1abd 28299->28300 28306 7ff600ff1ab4 FreeLibrary 28299->28306 28302 7ff600ff1b1b GetProcAddress 28300->28302 28303 7ff600ff1b85 28300->28303 28301 7ff600ff19b4 28301->28297 28301->28299 28301->28300 28301->28303 28302->28303 28309 7ff600ff1b30 GetLastError 28302->28309 28325 7ff600ff1868 28303->28325 28308 7ff600ff1868 DloadReleaseSectionWriteAccess 6 API calls 28304->28308 28305->28299 28305->28304 28306->28300 28311 7ff600ff1a8b RaiseException 28308->28311 28312 7ff600ff1b45 28309->28312 28310->28289 28311->28310 28312->28303 28313 7ff600ff1868 DloadReleaseSectionWriteAccess 6 API calls 28312->28313 28314 7ff600ff1b67 RaiseException 28313->28314 28315 7ff600ff1558 _com_raise_error 6 API calls 28314->28315 28316 7ff600ff1b81 28315->28316 28316->28303 28318 7ff600ff156e 28317->28318 28319 7ff600ff15d3 28317->28319 28333 7ff600ff1604 28318->28333 28319->28294 28319->28301 28322 7ff600ff15ce 28324 7ff600ff1604 DloadReleaseSectionWriteAccess 3 API calls 28322->28324 28324->28319 28326 7ff600ff1878 28325->28326 28327 7ff600ff18d1 28325->28327 28328 7ff600ff1604 DloadReleaseSectionWriteAccess 3 API calls 28326->28328 28327->28310 28329 7ff600ff187d 28328->28329 28330 7ff600ff18cc 28329->28330 28331 7ff600ff17d8 DloadProtectSection 3 API calls 28329->28331 28332 7ff600ff1604 DloadReleaseSectionWriteAccess 3 API calls 28330->28332 28331->28330 28332->28327 28334 7ff600ff161f 28333->28334 28336 7ff600ff1573 28333->28336 28335 7ff600ff1624 GetModuleHandleW 28334->28335 28334->28336 28337 7ff600ff163e GetProcAddress 28335->28337 28338 7ff600ff1639 28335->28338 28336->28322 28340 7ff600ff17d8 28336->28340 28337->28338 28339 7ff600ff1653 GetProcAddress 28337->28339 28338->28336 28339->28338 28342 7ff600ff17fa DloadProtectSection 28340->28342 28341 7ff600ff1802 28341->28322 28342->28341 28343 7ff600ff183a VirtualProtect 28342->28343 28345 7ff600ff16a4 VirtualQuery GetSystemInfo 28342->28345 28343->28341 28345->28343 28347 7ff600ff11cf 28349 7ff600ff1102 28347->28349 28348 7ff600ff1900 _com_raise_error 14 API calls 28348->28349 28349->28348 28367 7ff600ff03e0 28368 7ff600ff041f 28367->28368 28369 7ff600ff0497 28367->28369 28371 7ff600fdaae0 48 API calls 28368->28371 28370 7ff600fdaae0 48 API calls 28369->28370 28372 7ff600ff04ab 28370->28372 28373 7ff600ff0433 28371->28373 28374 7ff600fdda98 48 API calls 28372->28374 28375 7ff600fdda98 48 API calls 28373->28375 28378 7ff600ff0442 BuildCatchObjectHelperInternal 28374->28378 28375->28378 28376 7ff600fc1fa0 31 API calls 28377 7ff600ff0541 28376->28377 28380 7ff600fc250c SetDlgItemTextW 28377->28380 28378->28376 28379 7ff600ff05c6 28378->28379 28381 7ff600ff05cc 28378->28381 28382 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 28379->28382 28384 7ff600ff0556 SetWindowTextW 28380->28384 28383 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 28381->28383 28382->28381 28385 7ff600ff05d2 28383->28385 28386 7ff600ff059c 28384->28386 28387 7ff600ff056f 28384->28387 28388 7ff600ff2320 _handle_error 8 API calls 28386->28388 28387->28386 28389 7ff600ff05c1 28387->28389 28390 7ff600ff05af 28388->28390 28391 7ff600ff7904 _invalid_parameter_noinfo_noreturn 31 API calls 28389->28391 28391->28379 28398 7ff600ff20f0 28399 7ff600ff2106 _com_error::_com_error 28398->28399 28400 7ff600ff4078 std::_Xinvalid_argument 2 API calls 28399->28400 28401 7ff600ff2117 28400->28401 28402 7ff600ff1900 _com_raise_error 14 API calls 28401->28402 28403 7ff600ff2163 28402->28403 25872 7ff600ffbdf8 25873 7ff600ffbe1e GetModuleHandleW 25872->25873 25874 7ff600ffbe68 25872->25874 25873->25874 25879 7ff600ffbe2b 25873->25879 25889 7ff600fff398 EnterCriticalSection 25874->25889 25879->25874 25890 7ff600ffbfb0 GetModuleHandleExW 25879->25890 25891 7ff600ffc001 25890->25891 25892 7ff600ffbfda GetProcAddress 25890->25892 25894 7ff600ffc011 25891->25894 25895 7ff600ffc00b FreeLibrary 25891->25895 25892->25891 25893 7ff600ffbff4 25892->25893 25893->25891 25894->25874 25895->25894 28850 7ff600ffbf2c 41 API calls 2 library calls

                                                                                  Executed Functions

                                                                                  Function 00007FF600FEB190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
                                                                                  • String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
                                                                                  • API String ID: 255727823-2702805183
                                                                                  • Opcode ID: 9a17fb0a367c8f41df10969568811eb98f7642249842cc7a5319212f9cbedbf3
                                                                                  • Instruction ID: 018811101773dab1472ca33632e094df38b001a89416b743ff044da97e620342
                                                                                  • Opcode Fuzzy Hash: 9a17fb0a367c8f41df10969568811eb98f7642249842cc7a5319212f9cbedbf3
                                                                                  • Instruction Fuzzy Hash: 7DD2B322A0C7C2A1EB20DB25E8552FA6361FF85780F604535DE8E877AAEF3CE545D344
                                                                                  Function 00007FF600FECE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
                                                                                  • String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
                                                                                  • API String ID: 3007431893-3916287355
                                                                                  • Opcode ID: 22536870ed44e5dbbaf540d151aa187c5a891d92fbde2893a6fdd8757bd3f256
                                                                                  • Instruction ID: 1f8ba29bd07a05adc4db7d44c23bbb944db7074073de8c771596ab3b5e4b9d88
                                                                                  • Opcode Fuzzy Hash: 22536870ed44e5dbbaf540d151aa187c5a891d92fbde2893a6fdd8757bd3f256
                                                                                  • Instruction Fuzzy Hash: 7B139C22B08B82A9EB10DF64D8402EC27A1FB41798F601536DE5D97BEDEF38E595D340
                                                                                  Function 00007FF600FF0754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380filesleeptimeCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1466 7ff600ff0754-7ff600ff0829 call 7ff600fddfd0 call 7ff600fd62dc call 7ff600fe946c call 7ff600ff3cf0 call 7ff600fe9a14 1477 7ff600ff0860-7ff600ff0883 1466->1477 1478 7ff600ff082b-7ff600ff0840 1466->1478 1479 7ff600ff0885-7ff600ff089a 1477->1479 1480 7ff600ff08ba-7ff600ff08dd 1477->1480 1481 7ff600ff0842-7ff600ff0855 1478->1481 1482 7ff600ff085b call 7ff600ff220c 1478->1482 1485 7ff600ff08b5 call 7ff600ff220c 1479->1485 1486 7ff600ff089c-7ff600ff08af 1479->1486 1487 7ff600ff0914-7ff600ff0937 1480->1487 1488 7ff600ff08df-7ff600ff08f4 1480->1488 1481->1482 1483 7ff600ff0ddd-7ff600ff0de2 call 7ff600ff7904 1481->1483 1482->1477 1502 7ff600ff0de3-7ff600ff0df0 call 7ff600ff7904 1483->1502 1485->1480 1486->1483 1486->1485 1493 7ff600ff096e-7ff600ff097a GetCommandLineW 1487->1493 1494 7ff600ff0939-7ff600ff094e 1487->1494 1491 7ff600ff090f call 7ff600ff220c 1488->1491 1492 7ff600ff08f6-7ff600ff0909 1488->1492 1491->1487 1492->1483 1492->1491 1496 7ff600ff0980-7ff600ff09b7 call 7ff600ff797c call 7ff600fc129c call 7ff600fecad0 1493->1496 1497 7ff600ff0b47-7ff600ff0b5e call 7ff600fd6454 1493->1497 1499 7ff600ff0950-7ff600ff0963 1494->1499 1500 7ff600ff0969 call 7ff600ff220c 1494->1500 1525 7ff600ff09ec-7ff600ff09f3 1496->1525 1526 7ff600ff09b9-7ff600ff09cc 1496->1526 1510 7ff600ff0b60-7ff600ff0b85 call 7ff600fc1fa0 call 7ff600ff3640 1497->1510 1511 7ff600ff0b89-7ff600ff0ce4 call 7ff600fc1fa0 SetEnvironmentVariableW GetLocalTime call 7ff600fd3e28 SetEnvironmentVariableW GetModuleHandleW LoadIconW call 7ff600feb014 call 7ff600fd98ac call 7ff600fe67b4 * 2 DialogBoxParamW call 7ff600fe68a8 * 2 1497->1511 1499->1483 1499->1500 1500->1493 1513 7ff600ff0df5-7ff600ff0e2f call 7ff600ff1900 1502->1513 1510->1511 1572 7ff600ff0cec-7ff600ff0cf3 1511->1572 1573 7ff600ff0ce6 Sleep 1511->1573 1522 7ff600ff0e34-7ff600ff0e75 1513->1522 1522->1513 1532 7ff600ff0adb-7ff600ff0b05 call 7ff600ff797c call 7ff600fc129c call 7ff600fefd0c 1525->1532 1533 7ff600ff09f9-7ff600ff0a13 OpenFileMappingW 1525->1533 1530 7ff600ff09ce-7ff600ff09e1 1526->1530 1531 7ff600ff09e7 call 7ff600ff220c 1526->1531 1530->1502 1530->1531 1531->1525 1552 7ff600ff0b0a-7ff600ff0b12 1532->1552 1538 7ff600ff0ad0-7ff600ff0ad9 CloseHandle 1533->1538 1539 7ff600ff0a19-7ff600ff0a39 MapViewOfFile 1533->1539 1538->1497 1539->1538 1540 7ff600ff0a3f-7ff600ff0a6f UnmapViewOfFile MapViewOfFile 1539->1540 1540->1538 1544 7ff600ff0a71-7ff600ff0aca call 7ff600fea190 call 7ff600fefd0c call 7ff600fdb9b4 call 7ff600fdbb00 call 7ff600fdbb70 UnmapViewOfFile 1540->1544 1544->1538 1552->1497 1555 7ff600ff0b14-7ff600ff0b27 1552->1555 1558 7ff600ff0b42 call 7ff600ff220c 1555->1558 1559 7ff600ff0b29-7ff600ff0b3c 1555->1559 1558->1497 1559->1558 1562 7ff600ff0dd7-7ff600ff0ddc call 7ff600ff7904 1559->1562 1562->1483 1575 7ff600ff0cf5 call 7ff600fe9f4c 1572->1575 1576 7ff600ff0cfa-7ff600ff0d1d call 7ff600fdb8e0 DeleteObject 1572->1576 1573->1572 1575->1576 1581 7ff600ff0d25-7ff600ff0d2c 1576->1581 1582 7ff600ff0d1f DeleteObject 1576->1582 1583 7ff600ff0d2e-7ff600ff0d35 1581->1583 1584 7ff600ff0d48-7ff600ff0d59 1581->1584 1582->1581 1583->1584 1585 7ff600ff0d37-7ff600ff0d43 call 7ff600fcba0c 1583->1585 1586 7ff600ff0d6d-7ff600ff0d7a 1584->1586 1587 7ff600ff0d5b-7ff600ff0d67 call 7ff600fefe24 CloseHandle 1584->1587 1585->1584 1588 7ff600ff0d9f-7ff600ff0da4 call 7ff600fe94e4 1586->1588 1589 7ff600ff0d7c-7ff600ff0d89 1586->1589 1587->1586 1598 7ff600ff0da9-7ff600ff0dd6 call 7ff600ff2320 1588->1598 1593 7ff600ff0d8b-7ff600ff0d93 1589->1593 1594 7ff600ff0d99-7ff600ff0d9b 1589->1594 1593->1588 1596 7ff600ff0d95-7ff600ff0d97 1593->1596 1594->1588 1597 7ff600ff0d9d 1594->1597 1596->1588 1597->1588
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
                                                                                  • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                  • API String ID: 1048086575-3710569615
                                                                                  • Opcode ID: 7fb843965e060d2caf1f274bd47349aa60f49b36b68f6f054b76b7ae27a5abf6
                                                                                  • Instruction ID: 47200f50cf0e5587b09e7ac2090ee3e33dd3d137aee21164a0bf4fe9a1cabf9f
                                                                                  • Opcode Fuzzy Hash: 7fb843965e060d2caf1f274bd47349aa60f49b36b68f6f054b76b7ae27a5abf6
                                                                                  • Instruction Fuzzy Hash: 0E127D61A1CB8291EB10DF24E8452B97365FF84794F604236DE9E87BAAEF7CE540D304
                                                                                  Function 00007FF600FDA4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
                                                                                  • String ID: $%s:$CAPTION
                                                                                  • API String ID: 2100155373-404845831
                                                                                  • Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                                  • Instruction ID: 28462578de87106489345943b026c5425666037f961e1c3e58d447153243cf1f
                                                                                  • Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                                  • Instruction Fuzzy Hash: 0A91D932B1C6418AE714DF39E800669B7A1FB85784F645536EE8E97B98DF3CE805CB00
                                                                                  Function 00007FF600FE8624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101memorywindowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                                  • String ID: PNG
                                                                                  • API String ID: 211097158-364855578
                                                                                  • Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                                  • Instruction ID: d8fab4350f8b1cc445fcf0cbf214e473a6f4447e385bdbf34c7b8b127722e177
                                                                                  • Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                                  • Instruction Fuzzy Hash: CC412825A1DB4692EF059F56D84437963A0BF88BD0F284435DE4E873A8EF7CE849D300
                                                                                  Function 00007FF600FCF930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID: __tmp_reference_source_
                                                                                  • API String ID: 3668304517-685763994
                                                                                  • Opcode ID: ee1b9b2f793652c4fffa685adae4afd38ebba44b70748007b51654422c3c5d5b
                                                                                  • Instruction ID: ca6ea9eb8a62316ef126c95c6909fdb50858668fe94881680b948416e17a5e57
                                                                                  • Opcode Fuzzy Hash: ee1b9b2f793652c4fffa685adae4afd38ebba44b70748007b51654422c3c5d5b
                                                                                  • Instruction Fuzzy Hash: E1E28662A0C6C2A2EA64CB25E1457FEA762FB81740F604136DF9D877A9CF3CE455E700
                                                                                  Function 00007FF600FC4840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID: CMT
                                                                                  • API String ID: 3668304517-2756464174
                                                                                  • Opcode ID: e332826224c26e08b8897dde0b291f1f93ab3e52299fc2a58a734e8ff3d1849b
                                                                                  • Instruction ID: c69468e5b501ed43601d2de354cf6a8f5263adeac7915b82ceb20ba666726a51
                                                                                  • Opcode Fuzzy Hash: e332826224c26e08b8897dde0b291f1f93ab3e52299fc2a58a734e8ff3d1849b
                                                                                  • Instruction Fuzzy Hash: 85E20222B0CA82A6EB18DB65D6516FD67A1FB41784F640836CE4E8379ACF3CF095D300
                                                                                  Function 00007FF600FD40BC Relevance: 10.7, APIs: 7, Instructions: 153fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 3712 7ff600fd40bc-7ff600fd40f3 3713 7ff600fd41d2-7ff600fd41df FindNextFileW 3712->3713 3714 7ff600fd40f9-7ff600fd4101 3712->3714 3717 7ff600fd41f3-7ff600fd41f6 3713->3717 3718 7ff600fd41e1-7ff600fd41f1 GetLastError 3713->3718 3715 7ff600fd4103 3714->3715 3716 7ff600fd4106-7ff600fd4118 FindFirstFileW 3714->3716 3715->3716 3716->3717 3719 7ff600fd411e-7ff600fd4146 call 7ff600fd6a0c 3716->3719 3721 7ff600fd4211-7ff600fd4253 call 7ff600ff797c call 7ff600fc129c call 7ff600fd8090 3717->3721 3722 7ff600fd41f8-7ff600fd4200 3717->3722 3720 7ff600fd41ca-7ff600fd41cd 3718->3720 3732 7ff600fd4167-7ff600fd4170 3719->3732 3733 7ff600fd4148-7ff600fd4164 FindFirstFileW 3719->3733 3723 7ff600fd42eb-7ff600fd430e call 7ff600ff2320 3720->3723 3749 7ff600fd4255-7ff600fd426c 3721->3749 3750 7ff600fd428c-7ff600fd42e6 call 7ff600fdf168 * 3 3721->3750 3725 7ff600fd4202 3722->3725 3726 7ff600fd4205-7ff600fd420c call 7ff600fc20b0 3722->3726 3725->3726 3726->3721 3736 7ff600fd4172-7ff600fd4189 3732->3736 3737 7ff600fd41a9-7ff600fd41ad 3732->3737 3733->3732 3739 7ff600fd41a4 call 7ff600ff220c 3736->3739 3740 7ff600fd418b-7ff600fd419e 3736->3740 3737->3717 3741 7ff600fd41af-7ff600fd41be GetLastError 3737->3741 3739->3737 3740->3739 3743 7ff600fd4315-7ff600fd431b call 7ff600ff7904 3740->3743 3745 7ff600fd41c0-7ff600fd41c6 3741->3745 3746 7ff600fd41c8 3741->3746 3745->3720 3745->3746 3746->3720 3751 7ff600fd426e-7ff600fd4281 3749->3751 3752 7ff600fd4287 call 7ff600ff220c 3749->3752 3750->3723 3751->3752 3755 7ff600fd430f-7ff600fd4314 call 7ff600ff7904 3751->3755 3752->3750 3755->3743
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
                                                                                  • String ID:
                                                                                  • API String ID: 474548282-0
                                                                                  • Opcode ID: 5b7a682f346ba33cc6e8113bf8bb974c5d06c867b30d63dc8f71ee7e42fd28a6
                                                                                  • Instruction ID: 5ee2e0c9d02a96321950b1dd843d19863b05b1ec6e3c1fb9306de2bc3c2e6525
                                                                                  • Opcode Fuzzy Hash: 5b7a682f346ba33cc6e8113bf8bb974c5d06c867b30d63dc8f71ee7e42fd28a6
                                                                                  • Instruction Fuzzy Hash: 35618462A0C64692EA11DF28E84127D6362FB957A4F205332EEAD837DDDF3CE584D700
                                                                                  Function 00007FF600FC5E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 3849 7ff600fc5e24-7ff600fc6129 call 7ff600fd833c call 7ff600fd85f0 3855 7ff600fc612e-7ff600fc6132 3849->3855 3856 7ff600fc6141-7ff600fc6171 call 7ff600fd83d8 call 7ff600fd8570 call 7ff600fd8528 3855->3856 3857 7ff600fc6134-7ff600fc613c call 7ff600fc6fcc 3855->3857 3875 7ff600fc6973-7ff600fc6976 call 7ff600fc466c 3856->3875 3876 7ff600fc6177-7ff600fc6179 3856->3876 3862 7ff600fc697b 3857->3862 3864 7ff600fc697e-7ff600fc6985 3862->3864 3866 7ff600fc69b4-7ff600fc69e3 call 7ff600ff2320 3864->3866 3867 7ff600fc6987-7ff600fc6998 3864->3867 3869 7ff600fc69af call 7ff600ff220c 3867->3869 3870 7ff600fc699a-7ff600fc69ad 3867->3870 3869->3866 3870->3869 3873 7ff600fc69e4-7ff600fc69e9 call 7ff600ff7904 3870->3873 3883 7ff600fc69ea-7ff600fc69ef call 7ff600ff7904 3873->3883 3875->3862 3876->3875 3879 7ff600fc617f-7ff600fc6189 3876->3879 3879->3875 3881 7ff600fc618f-7ff600fc6192 3879->3881 3881->3875 3884 7ff600fc6198-7ff600fc61aa call 7ff600fd85f0 3881->3884 3890 7ff600fc69f0-7ff600fc69f7 call 7ff600ff7904 3883->3890 3884->3857 3889 7ff600fc61ac-7ff600fc61fd call 7ff600fd84f8 call 7ff600fd8528 * 2 3884->3889 3899 7ff600fc623f-7ff600fc6249 3889->3899 3900 7ff600fc61ff-7ff600fc6222 call 7ff600fc466c call 7ff600fcba0c 3889->3900 3901 7ff600fc6266-7ff600fc6270 3899->3901 3902 7ff600fc624b-7ff600fc6260 call 7ff600fd8528 3899->3902 3900->3899 3917 7ff600fc6224-7ff600fc622e call 7ff600fc433c 3900->3917 3905 7ff600fc627e-7ff600fc6296 call 7ff600fc334c 3901->3905 3906 7ff600fc6272-7ff600fc627b call 7ff600fd8528 3901->3906 3902->3875 3902->3901 3915 7ff600fc62b3 3905->3915 3916 7ff600fc6298-7ff600fc629b 3905->3916 3906->3905 3919 7ff600fc62b6-7ff600fc62c8 3915->3919 3916->3915 3918 7ff600fc629d-7ff600fc62b1 3916->3918 3917->3899 3918->3915 3918->3919 3921 7ff600fc62ce-7ff600fc62d1 3919->3921 3922 7ff600fc68b7-7ff600fc6929 call 7ff600fd4d04 call 7ff600fd8528 3919->3922 3924 7ff600fc6481-7ff600fc64f4 call 7ff600fd4c74 call 7ff600fd8528 * 2 3921->3924 3925 7ff600fc62d7-7ff600fc62da 3921->3925 3941 7ff600fc6936 3922->3941 3942 7ff600fc692b-7ff600fc6934 call 7ff600fd8528 3922->3942 3955 7ff600fc6507-7ff600fc6533 call 7ff600fd8528 3924->3955 3956 7ff600fc64f6-7ff600fc6500 3924->3956 3925->3924 3926 7ff600fc62e0-7ff600fc62e3 3925->3926 3929 7ff600fc632e-7ff600fc6353 call 7ff600fd8528 3926->3929 3930 7ff600fc62e5-7ff600fc62e8 3926->3930 3945 7ff600fc639e-7ff600fc63c5 call 7ff600fd8528 call 7ff600fd8384 3929->3945 3946 7ff600fc6355-7ff600fc638f call 7ff600fc4228 call 7ff600fc3c84 call 7ff600fc701c call 7ff600fc1fa0 3929->3946 3933 7ff600fc62ee-7ff600fc6329 call 7ff600fd8528 3930->3933 3934 7ff600fc696d-7ff600fc6971 3930->3934 3933->3934 3934->3864 3948 7ff600fc6939-7ff600fc6946 3941->3948 3942->3948 3968 7ff600fc6402-7ff600fc641f call 7ff600fd8444 3945->3968 3969 7ff600fc63c7-7ff600fc6400 call 7ff600fc4228 call 7ff600fc3c84 call 7ff600fc701c call 7ff600fc1fa0 3945->3969 3992 7ff600fc6390-7ff600fc6399 call 7ff600fc1fa0 3946->3992 3953 7ff600fc6948-7ff600fc694a 3948->3953 3954 7ff600fc694c 3948->3954 3953->3954 3959 7ff600fc694f-7ff600fc6959 3953->3959 3954->3959 3970 7ff600fc6535-7ff600fc6544 call 7ff600fd83d8 call 7ff600fdf134 3955->3970 3971 7ff600fc6549-7ff600fc6557 3955->3971 3956->3955 3959->3934 3963 7ff600fc695b-7ff600fc6968 call 7ff600fc4840 3959->3963 3963->3934 3988 7ff600fc6421-7ff600fc646f call 7ff600fd8444 * 2 call 7ff600fdc800 call 7ff600ff4a70 3968->3988 3989 7ff600fc6475-7ff600fc647c 3968->3989 3969->3992 3970->3971 3973 7ff600fc6572-7ff600fc6595 call 7ff600fd8528 3971->3973 3974 7ff600fc6559-7ff600fc656c call 7ff600fd83d8 3971->3974 3993 7ff600fc65a0-7ff600fc65b0 3973->3993 3994 7ff600fc6597-7ff600fc659e 3973->3994 3974->3973 3988->3989 3989->3934 3992->3945 3998 7ff600fc65b3-7ff600fc65eb call 7ff600fd8528 * 2 3993->3998 3994->3998 4013 7ff600fc65f6-7ff600fc65fa 3998->4013 4014 7ff600fc65ed-7ff600fc65f4 3998->4014 4016 7ff600fc6603-7ff600fc6632 4013->4016 4018 7ff600fc65fc 4013->4018 4014->4016 4019 7ff600fc663f 4016->4019 4020 7ff600fc6634-7ff600fc6638 4016->4020 4018->4016 4022 7ff600fc6641-7ff600fc6656 4019->4022 4020->4019 4021 7ff600fc663a-7ff600fc663d 4020->4021 4021->4022 4023 7ff600fc6658-7ff600fc665b 4022->4023 4024 7ff600fc66ca 4022->4024 4023->4024 4025 7ff600fc665d-7ff600fc6683 4023->4025 4026 7ff600fc66d2-7ff600fc6731 call 7ff600fc3d00 call 7ff600fd8444 call 7ff600fe0d54 4024->4026 4025->4026 4027 7ff600fc6685-7ff600fc66a9 4025->4027 4037 7ff600fc6745-7ff600fc6749 4026->4037 4038 7ff600fc6733-7ff600fc6740 call 7ff600fc4840 4026->4038 4029 7ff600fc66b2-7ff600fc66bf 4027->4029 4030 7ff600fc66ab 4027->4030 4029->4026 4032 7ff600fc66c1-7ff600fc66c8 4029->4032 4030->4029 4032->4026 4040 7ff600fc675b-7ff600fc6772 call 7ff600ff797c 4037->4040 4041 7ff600fc674b-7ff600fc6756 call 7ff600fc473c 4037->4041 4038->4037 4047 7ff600fc6774 4040->4047 4048 7ff600fc6777-7ff600fc677e 4040->4048 4046 7ff600fc6859-7ff600fc6860 4041->4046 4049 7ff600fc6873-7ff600fc687b 4046->4049 4050 7ff600fc6862-7ff600fc6872 call 7ff600fc433c 4046->4050 4047->4048 4051 7ff600fc6780-7ff600fc6783 4048->4051 4052 7ff600fc67a3-7ff600fc67ba call 7ff600ff797c 4048->4052 4049->3934 4055 7ff600fc6881-7ff600fc6892 4049->4055 4050->4049 4056 7ff600fc6785 4051->4056 4057 7ff600fc679c 4051->4057 4065 7ff600fc67bf-7ff600fc67c6 4052->4065 4066 7ff600fc67bc 4052->4066 4061 7ff600fc6894-7ff600fc68a7 4055->4061 4062 7ff600fc68ad-7ff600fc68b2 call 7ff600ff220c 4055->4062 4058 7ff600fc6788-7ff600fc6791 4056->4058 4057->4052 4058->4052 4064 7ff600fc6793-7ff600fc679a 4058->4064 4061->3890 4061->4062 4062->3934 4064->4057 4064->4058 4065->4046 4068 7ff600fc67cc-7ff600fc67cf 4065->4068 4066->4065 4069 7ff600fc67d1 4068->4069 4070 7ff600fc67e8-7ff600fc67f0 4068->4070 4071 7ff600fc67d4-7ff600fc67dd 4069->4071 4070->4046 4072 7ff600fc67f2-7ff600fc6826 call 7ff600fd8360 call 7ff600fd8598 call 7ff600fd8528 4070->4072 4071->4046 4073 7ff600fc67df-7ff600fc67e6 4071->4073 4072->4046 4080 7ff600fc6828-7ff600fc6839 4072->4080 4073->4070 4073->4071 4081 7ff600fc6854 call 7ff600ff220c 4080->4081 4082 7ff600fc683b-7ff600fc684e 4080->4082 4081->4046 4082->3883 4082->4081
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: CMT
                                                                                  • API String ID: 0-2756464174
                                                                                  • Opcode ID: 1483503f4f6562bc116dab0f55c891e212737330d95d7192c6dc5e801ab4a3f4
                                                                                  • Instruction ID: 0e5b759b4e74493a0b6903b2b2a7862afd4b19c8846457e839f31591b27aced7
                                                                                  • Opcode Fuzzy Hash: 1483503f4f6562bc116dab0f55c891e212737330d95d7192c6dc5e801ab4a3f4
                                                                                  • Instruction Fuzzy Hash: 7042DF22B0C682A6EB18DB74D2526FD67A1EB41384F240536DF5ED379ADF38E519E300
                                                                                  Function 00007FF600FE1F20 Relevance: .3, Instructions: 337COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6a2ba48437b82e373fac81338819d40f47a0019a50d197aab006f7cc31990992
                                                                                  • Instruction ID: 7a6482060bf044a3eefa89f4c01cdea2365a522338eed8a84228f0d4f4da7b39
                                                                                  • Opcode Fuzzy Hash: 6a2ba48437b82e373fac81338819d40f47a0019a50d197aab006f7cc31990992
                                                                                  • Instruction Fuzzy Hash: C5E1C162A0C2C29AEB64CF29A0442BD7791FB44748F25413ADF8ED778AEE3CF5419704
                                                                                  Function 00007FF600FE3484 Relevance: .3, Instructions: 302COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bca6f1c51f28919b1ed0d44622ea5b19d03515415c361c6bf899ecd233d7ad4e
                                                                                  • Instruction ID: c5075546ec40e313f2c643388d9682cdb3ce42993ace5832ba84d6645ba3287b
                                                                                  • Opcode Fuzzy Hash: bca6f1c51f28919b1ed0d44622ea5b19d03515415c361c6bf899ecd233d7ad4e
                                                                                  • Instruction Fuzzy Hash: AFB1C0A2B09BC9A2DE58CA66D50CAE97391BB45FC4F588036DE0D87749EF3CE255D300
                                                                                  Function 00007FF600FD4928 Relevance: .1, Instructions: 136COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                  • String ID:
                                                                                  • API String ID: 3340455307-0
                                                                                  • Opcode ID: 2cb8b9ec6f6f726b57ae810d2a963647076a0ed4099b9c3b4f35ab7767efdb68
                                                                                  • Instruction ID: 30214214a2d1fbc05b57468d7e8c5c0f62c0ef1ed896b7d21dff8acd06d1b4e4
                                                                                  • Opcode Fuzzy Hash: 2cb8b9ec6f6f726b57ae810d2a963647076a0ed4099b9c3b4f35ab7767efdb68
                                                                                  • Instruction Fuzzy Hash: F1412722B19A9297FB64DF22A91077A2253FBC4788F244032DE4E87798DE3CF442D704
                                                                                  Function 00007FF600FDDFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440libraryfileloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 7ff600fddfd0-7ff600fde024 call 7ff600ff2450 GetModuleHandleW 3 7ff600fde07b-7ff600fde3a5 0->3 4 7ff600fde026-7ff600fde039 GetProcAddress 0->4 5 7ff600fde503-7ff600fde521 call 7ff600fd6454 call 7ff600fd7df4 3->5 6 7ff600fde3ab-7ff600fde3b4 call 7ff600ffb788 3->6 7 7ff600fde053-7ff600fde066 GetProcAddress 4->7 8 7ff600fde03b-7ff600fde04a 4->8 19 7ff600fde525-7ff600fde52f call 7ff600fd51a4 5->19 6->5 15 7ff600fde3ba-7ff600fde3fd call 7ff600fd6454 CreateFileW 6->15 7->3 11 7ff600fde068-7ff600fde078 7->11 8->7 11->3 22 7ff600fde403-7ff600fde416 SetFilePointer 15->22 23 7ff600fde4f0-7ff600fde4fe CloseHandle call 7ff600fc1fa0 15->23 27 7ff600fde564-7ff600fde5ac call 7ff600ff797c call 7ff600fc129c call 7ff600fd8090 call 7ff600fc1fa0 call 7ff600fd32bc 19->27 28 7ff600fde531-7ff600fde53c call 7ff600fddd88 19->28 22->23 25 7ff600fde41c-7ff600fde43e ReadFile 22->25 23->5 25->23 29 7ff600fde444-7ff600fde452 25->29 66 7ff600fde5b1-7ff600fde5b4 27->66 28->27 39 7ff600fde53e-7ff600fde562 CompareStringW 28->39 32 7ff600fde800-7ff600fde807 call 7ff600ff2624 29->32 33 7ff600fde458-7ff600fde4ac call 7ff600ff797c call 7ff600fc129c 29->33 48 7ff600fde4c3-7ff600fde4d9 call 7ff600fdd0a0 33->48 39->27 42 7ff600fde5bd-7ff600fde5c6 39->42 42->19 45 7ff600fde5cc 42->45 49 7ff600fde5d1-7ff600fde5d4 45->49 61 7ff600fde4ae-7ff600fde4be call 7ff600fddd88 48->61 62 7ff600fde4db-7ff600fde4eb call 7ff600fc1fa0 * 2 48->62 52 7ff600fde63f-7ff600fde642 49->52 53 7ff600fde5d6-7ff600fde5d9 49->53 56 7ff600fde7c2-7ff600fde7ff call 7ff600fc1fa0 * 2 call 7ff600ff2320 52->56 57 7ff600fde648-7ff600fde65b call 7ff600fd7eb0 call 7ff600fd51a4 52->57 58 7ff600fde5dd-7ff600fde62d call 7ff600ff797c call 7ff600fc129c call 7ff600fd8090 call 7ff600fc1fa0 call 7ff600fd32bc 53->58 82 7ff600fde661-7ff600fde701 call 7ff600fddd88 * 2 call 7ff600fdaae0 call 7ff600fdda98 call 7ff600fdaae0 call 7ff600fddc2c call 7ff600fe87ac call 7ff600fc19e0 57->82 83 7ff600fde706-7ff600fde753 call 7ff600fdda98 AllocConsole 57->83 107 7ff600fde62f-7ff600fde638 58->107 108 7ff600fde63c 58->108 61->48 62->23 72 7ff600fde5ce 66->72 73 7ff600fde5b6 66->73 72->49 73->42 100 7ff600fde7b4-7ff600fde7bb call 7ff600fc19e0 ExitProcess 82->100 93 7ff600fde755-7ff600fde7aa GetCurrentProcessId AttachConsole call 7ff600fde868 call 7ff600fde858 GetStdHandle WriteConsoleW Sleep FreeConsole 83->93 94 7ff600fde7b0 83->94 93->94 94->100 107->58 112 7ff600fde63a 107->112 108->52 112->52
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
                                                                                  • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
                                                                                  • API String ID: 1496594111-2013832382
                                                                                  • Opcode ID: 19926894803355f4926a5d38047f13a95aa4f57e947c60c8a04cc60affe7caae
                                                                                  • Instruction ID: dd688c66cb6b4ab03ad98d48625d2d9c4e2f7f563597dce4bc66c39fcfc23180
                                                                                  • Opcode Fuzzy Hash: 19926894803355f4926a5d38047f13a95aa4f57e947c60c8a04cc60affe7caae
                                                                                  • Instruction Fuzzy Hash: 15322F35A09F82A5EB129F64E8401E933A5FF45358F604236DE8E877AAEF3CD255C344
                                                                                  Function 00007FF600FD98DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00007FF600FD8E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF600FD8F8D
                                                                                  • _snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF600FD9F75
                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600FDA42F
                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600FDA435
                                                                                    • Part of subcall function 00007FF600FE0BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF600FE0B44), ref: 00007FF600FE0BE9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
                                                                                  • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
                                                                                  • API String ID: 3629253777-3268106645
                                                                                  • Opcode ID: c1941742baf2d9c3be52f390a0a923855bad3b4b9f203786c8d0fad0fa7aba42
                                                                                  • Instruction ID: 656f847cb4896f2868e0daf622a454a661f552ee9cdbbf025ac8ec24ae605751
                                                                                  • Opcode Fuzzy Hash: c1941742baf2d9c3be52f390a0a923855bad3b4b9f203786c8d0fad0fa7aba42
                                                                                  • Instruction Fuzzy Hash: 4662BC22A1DA82A5EB10DF65C4482BD3366FB40788FA05132DE4E8779DEF7CE545E341
                                                                                  Function 00007FF600FF1900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1911 7ff600ff1900-7ff600ff1989 call 7ff600ff1558 1914 7ff600ff19b4-7ff600ff19d1 1911->1914 1915 7ff600ff198b-7ff600ff19af call 7ff600ff1868 RaiseException 1911->1915 1917 7ff600ff19d3-7ff600ff19e4 1914->1917 1918 7ff600ff19e6-7ff600ff19ea 1914->1918 1921 7ff600ff1bb8-7ff600ff1bd5 1915->1921 1920 7ff600ff19ed-7ff600ff19f9 1917->1920 1918->1920 1922 7ff600ff1a1a-7ff600ff1a1d 1920->1922 1923 7ff600ff19fb-7ff600ff1a0d 1920->1923 1924 7ff600ff1ac4-7ff600ff1acb 1922->1924 1925 7ff600ff1a23-7ff600ff1a26 1922->1925 1931 7ff600ff1a13 1923->1931 1932 7ff600ff1b89-7ff600ff1b93 1923->1932 1926 7ff600ff1adf-7ff600ff1ae2 1924->1926 1927 7ff600ff1acd-7ff600ff1adc 1924->1927 1928 7ff600ff1a3d-7ff600ff1a52 LoadLibraryExA 1925->1928 1929 7ff600ff1a28-7ff600ff1a3b 1925->1929 1933 7ff600ff1b85 1926->1933 1934 7ff600ff1ae8-7ff600ff1aec 1926->1934 1927->1926 1935 7ff600ff1a54-7ff600ff1a67 GetLastError 1928->1935 1936 7ff600ff1aa9-7ff600ff1ab2 1928->1936 1929->1928 1929->1936 1931->1922 1941 7ff600ff1b95-7ff600ff1ba6 1932->1941 1942 7ff600ff1bb0 call 7ff600ff1868 1932->1942 1933->1932 1939 7ff600ff1aee-7ff600ff1af2 1934->1939 1940 7ff600ff1b1b-7ff600ff1b2e GetProcAddress 1934->1940 1943 7ff600ff1a7e-7ff600ff1aa4 call 7ff600ff1868 RaiseException 1935->1943 1944 7ff600ff1a69-7ff600ff1a7c 1935->1944 1945 7ff600ff1ab4-7ff600ff1ab7 FreeLibrary 1936->1945 1946 7ff600ff1abd 1936->1946 1939->1940 1947 7ff600ff1af4-7ff600ff1aff 1939->1947 1940->1933 1950 7ff600ff1b30-7ff600ff1b43 GetLastError 1940->1950 1941->1942 1953 7ff600ff1bb5 1942->1953 1943->1921 1944->1936 1944->1943 1945->1946 1946->1924 1947->1940 1951 7ff600ff1b01-7ff600ff1b08 1947->1951 1955 7ff600ff1b45-7ff600ff1b58 1950->1955 1956 7ff600ff1b5a-7ff600ff1b81 call 7ff600ff1868 RaiseException call 7ff600ff1558 1950->1956 1951->1940 1958 7ff600ff1b0a-7ff600ff1b0f 1951->1958 1953->1921 1955->1933 1955->1956 1956->1933 1958->1940 1961 7ff600ff1b11-7ff600ff1b19 1958->1961 1961->1933 1961->1940
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
                                                                                  • String ID: H
                                                                                  • API String ID: 3432403771-2852464175
                                                                                  • Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                                  • Instruction ID: 186fd2eafbd429b5a13572d335fdf497b908df4d46482d350c30cbda0374e735
                                                                                  • Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                                  • Instruction Fuzzy Hash: 4F914822E09B52DAEB11CFA5D8446B833A9BF48B98F248535DE4E97758EF38E445D300
                                                                                  Function 00007FF600FEF4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1989 7ff600fef4e0-7ff600fef523 1990 7ff600fef894-7ff600fef8b9 call 7ff600fc1fa0 call 7ff600ff2320 1989->1990 1991 7ff600fef529-7ff600fef565 call 7ff600ff3cf0 1989->1991 1997 7ff600fef56a-7ff600fef571 1991->1997 1998 7ff600fef567 1991->1998 2000 7ff600fef582-7ff600fef586 1997->2000 2001 7ff600fef573-7ff600fef577 1997->2001 1998->1997 2004 7ff600fef58b-7ff600fef596 2000->2004 2005 7ff600fef588 2000->2005 2002 7ff600fef57c-7ff600fef580 2001->2002 2003 7ff600fef579 2001->2003 2002->2004 2003->2002 2006 7ff600fef59c 2004->2006 2007 7ff600fef628 2004->2007 2005->2004 2009 7ff600fef5a2-7ff600fef5a9 2006->2009 2008 7ff600fef62c-7ff600fef62f 2007->2008 2010 7ff600fef631-7ff600fef635 2008->2010 2011 7ff600fef637-7ff600fef63a 2008->2011 2012 7ff600fef5ae-7ff600fef5b3 2009->2012 2013 7ff600fef5ab 2009->2013 2010->2011 2016 7ff600fef660-7ff600fef673 call 7ff600fd63ac 2010->2016 2011->2016 2017 7ff600fef63c-7ff600fef643 2011->2017 2014 7ff600fef5e5-7ff600fef5f0 2012->2014 2015 7ff600fef5b5 2012->2015 2013->2012 2021 7ff600fef5f5-7ff600fef5fa 2014->2021 2022 7ff600fef5f2 2014->2022 2018 7ff600fef5ca-7ff600fef5d0 2015->2018 2032 7ff600fef675-7ff600fef693 call 7ff600fe13c4 2016->2032 2033 7ff600fef698-7ff600fef6ed call 7ff600ff797c call 7ff600fc129c call 7ff600fd32a8 call 7ff600fc1fa0 2016->2033 2017->2016 2019 7ff600fef645-7ff600fef65c 2017->2019 2023 7ff600fef5d2 2018->2023 2024 7ff600fef5b7-7ff600fef5be 2018->2024 2019->2016 2026 7ff600fef600-7ff600fef607 2021->2026 2027 7ff600fef8ba-7ff600fef8c1 2021->2027 2022->2021 2023->2014 2028 7ff600fef5c3-7ff600fef5c8 2024->2028 2029 7ff600fef5c0 2024->2029 2034 7ff600fef60c-7ff600fef612 2026->2034 2035 7ff600fef609 2026->2035 2030 7ff600fef8c3 2027->2030 2031 7ff600fef8c6-7ff600fef8cb 2027->2031 2028->2018 2036 7ff600fef5d4-7ff600fef5db 2028->2036 2029->2028 2030->2031 2037 7ff600fef8de-7ff600fef8e6 2031->2037 2038 7ff600fef8cd-7ff600fef8d4 2031->2038 2032->2033 2056 7ff600fef742-7ff600fef74f ShellExecuteExW 2033->2056 2057 7ff600fef6ef-7ff600fef73d call 7ff600ff797c call 7ff600fc129c call 7ff600fd5b60 call 7ff600fc1fa0 2033->2057 2034->2027 2041 7ff600fef618-7ff600fef622 2034->2041 2035->2034 2042 7ff600fef5e0 2036->2042 2043 7ff600fef5dd 2036->2043 2046 7ff600fef8eb-7ff600fef8f6 2037->2046 2047 7ff600fef8e8 2037->2047 2044 7ff600fef8d9 2038->2044 2045 7ff600fef8d6 2038->2045 2041->2007 2041->2009 2042->2014 2043->2042 2044->2037 2045->2044 2046->2008 2047->2046 2059 7ff600fef755-7ff600fef75f 2056->2059 2060 7ff600fef846-7ff600fef84e 2056->2060 2057->2056 2061 7ff600fef761-7ff600fef764 2059->2061 2062 7ff600fef76f-7ff600fef772 2059->2062 2064 7ff600fef882-7ff600fef88f 2060->2064 2065 7ff600fef850-7ff600fef866 2060->2065 2061->2062 2066 7ff600fef766-7ff600fef76d 2061->2066 2067 7ff600fef774-7ff600fef77f call 7ff60102e188 2062->2067 2068 7ff600fef78e-7ff600fef7ad call 7ff60102e1b8 call 7ff600fefe24 2062->2068 2064->1990 2070 7ff600fef87d call 7ff600ff220c 2065->2070 2071 7ff600fef868-7ff600fef87b 2065->2071 2066->2062 2072 7ff600fef7e3-7ff600fef7f0 CloseHandle 2066->2072 2067->2068 2087 7ff600fef781-7ff600fef78c ShowWindow 2067->2087 2068->2072 2097 7ff600fef7af-7ff600fef7b2 2068->2097 2070->2064 2071->2070 2076 7ff600fef8fb-7ff600fef903 call 7ff600ff7904 2071->2076 2078 7ff600fef805-7ff600fef80c 2072->2078 2079 7ff600fef7f2-7ff600fef803 call 7ff600fe13c4 2072->2079 2085 7ff600fef82e-7ff600fef830 2078->2085 2086 7ff600fef80e-7ff600fef811 2078->2086 2079->2078 2079->2085 2085->2060 2093 7ff600fef832-7ff600fef835 2085->2093 2086->2085 2092 7ff600fef813-7ff600fef828 2086->2092 2087->2068 2092->2085 2093->2060 2096 7ff600fef837-7ff600fef845 ShowWindow 2093->2096 2096->2060 2097->2072 2099 7ff600fef7b4-7ff600fef7c5 GetExitCodeProcess 2097->2099 2099->2072 2100 7ff600fef7c7-7ff600fef7dc 2099->2100 2100->2072
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
                                                                                  • String ID: .exe$.inf$Install$p
                                                                                  • API String ID: 1054546013-3607691742
                                                                                  • Opcode ID: bd083846a701d2a936ecc778425380adf73900159b5be9ae941c3623c510174f
                                                                                  • Instruction ID: 85db3fde12f389ffb98a227791669dad7ba59b50d3251d1245b520da14cd8d34
                                                                                  • Opcode Fuzzy Hash: bd083846a701d2a936ecc778425380adf73900159b5be9ae941c3623c510174f
                                                                                  • Instruction Fuzzy Hash: 9BC17C22F1CB82A5FB10DB25D94027923B1AF95B84F644035DE4E877A9EF3CE959D304
                                                                                  Function 00007FF600FEF0A4 Relevance: 16.6, APIs: 11, Instructions: 102windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3569833718-0
                                                                                  • Opcode ID: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
                                                                                  • Instruction ID: dacbe28c41cdd6fb245b1a891c02f83a9688d148c033fac3c1a3c5749d218b15
                                                                                  • Opcode Fuzzy Hash: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
                                                                                  • Instruction Fuzzy Hash: 5541E531B1864286F700DF61E814BAA3360FB85B98F644135DD4F8BB99CF3DD8498748
                                                                                  Function 00007FF600FCEF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: e994a9db728abc9e3b7c2f1aeddd0c1bbb8b4fdc17eb45be45aeabee48c93372
                                                                                  • Instruction ID: 1fdcbaf1ed2bc43cff3847fb2991d8f583e32d80230691a1a8e939c9c395240d
                                                                                  • Opcode Fuzzy Hash: e994a9db728abc9e3b7c2f1aeddd0c1bbb8b4fdc17eb45be45aeabee48c93372
                                                                                  • Instruction Fuzzy Hash: B012DE62F0CB42A4EB10DB64D5466BD6362AB457A8F600632DE5C97BDEDF3CE189D300
                                                                                  Function 00007FF600FD24C0 Relevance: 9.2, APIs: 6, Instructions: 164filetimeCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 3763 7ff600fd24c0-7ff600fd24fb 3764 7ff600fd24fd-7ff600fd2504 3763->3764 3765 7ff600fd2506 3763->3765 3764->3765 3766 7ff600fd2509-7ff600fd2578 3764->3766 3765->3766 3767 7ff600fd257a 3766->3767 3768 7ff600fd257d-7ff600fd25a8 CreateFileW 3766->3768 3767->3768 3769 7ff600fd25ae-7ff600fd25de GetLastError call 7ff600fd6a0c 3768->3769 3770 7ff600fd2688-7ff600fd268d 3768->3770 3779 7ff600fd25e0-7ff600fd262a CreateFileW GetLastError 3769->3779 3780 7ff600fd262c 3769->3780 3771 7ff600fd2693-7ff600fd2697 3770->3771 3773 7ff600fd26a5-7ff600fd26a9 3771->3773 3774 7ff600fd2699-7ff600fd269c 3771->3774 3777 7ff600fd26cf-7ff600fd26e3 3773->3777 3778 7ff600fd26ab-7ff600fd26af 3773->3778 3774->3773 3776 7ff600fd269e 3774->3776 3776->3773 3783 7ff600fd26e5-7ff600fd26f0 3777->3783 3784 7ff600fd270c-7ff600fd2735 call 7ff600ff2320 3777->3784 3778->3777 3782 7ff600fd26b1-7ff600fd26c9 SetFileTime 3778->3782 3781 7ff600fd2632-7ff600fd263a 3779->3781 3780->3781 3787 7ff600fd2673-7ff600fd2686 3781->3787 3788 7ff600fd263c-7ff600fd2653 3781->3788 3782->3777 3785 7ff600fd26f2-7ff600fd26fa 3783->3785 3786 7ff600fd2708 3783->3786 3790 7ff600fd26ff-7ff600fd2703 call 7ff600fc20b0 3785->3790 3791 7ff600fd26fc 3785->3791 3786->3784 3787->3771 3792 7ff600fd2655-7ff600fd2668 3788->3792 3793 7ff600fd266e call 7ff600ff220c 3788->3793 3790->3786 3791->3790 3792->3793 3796 7ff600fd2736-7ff600fd273b call 7ff600ff7904 3792->3796 3793->3787
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3536497005-0
                                                                                  • Opcode ID: 7e74b88d639c8d570aa5cbccebcd9353285634c108726f52f9c563d03d833b9c
                                                                                  • Instruction ID: bf192422528de077199ff503e4f33e94d8cfac8aec57b01a6e4eac20f532ca57
                                                                                  • Opcode Fuzzy Hash: 7e74b88d639c8d570aa5cbccebcd9353285634c108726f52f9c563d03d833b9c
                                                                                  • Instruction Fuzzy Hash: 7E61F272A0874195E7608F29E50036E67B2BB947A8F201335DFAA43BD8CF3DD054D744
                                                                                  Function 00007FF600FEFD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 3800 7ff600fefd0c-7ff600fefd37 3801 7ff600fefd3c-7ff600fefd76 SetEnvironmentVariableW call 7ff600fdd0a0 3800->3801 3802 7ff600fefd39 3800->3802 3805 7ff600fefdc3-7ff600fefdcb 3801->3805 3806 7ff600fefd78 3801->3806 3802->3801 3808 7ff600fefdff-7ff600fefe1a call 7ff600ff2320 3805->3808 3809 7ff600fefdcd-7ff600fefde3 3805->3809 3807 7ff600fefd7c-7ff600fefd84 3806->3807 3810 7ff600fefd89-7ff600fefd94 call 7ff600fdd4c0 3807->3810 3811 7ff600fefd86 3807->3811 3812 7ff600fefde5-7ff600fefdf8 3809->3812 3813 7ff600fefdfa call 7ff600ff220c 3809->3813 3822 7ff600fefda3-7ff600fefda8 3810->3822 3823 7ff600fefd96-7ff600fefda1 3810->3823 3811->3810 3812->3813 3817 7ff600fefe1b-7ff600fefe23 call 7ff600ff7904 3812->3817 3813->3808 3824 7ff600fefdad-7ff600fefdc2 SetEnvironmentVariableW 3822->3824 3825 7ff600fefdaa 3822->3825 3823->3807 3824->3805 3825->3824
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
                                                                                  • String ID: sfxcmd$sfxpar
                                                                                  • API String ID: 3540648995-3493335439
                                                                                  • Opcode ID: 65c4bc3e57016a74e8805048ea790c6f4a694eba210e4a6448e418b17608a108
                                                                                  • Instruction ID: 47f739bc4788db9c72f522fd32e7144b67cf6dc14da81f271a3ad5b6803321ab
                                                                                  • Opcode Fuzzy Hash: 65c4bc3e57016a74e8805048ea790c6f4a694eba210e4a6448e418b17608a108
                                                                                  • Instruction Fuzzy Hash: 1C316D72F18A4694EB14DF69E8841AC3371FB48B98F241532DE5E977A9DF38E045C344
                                                                                  Function 00007FF600FEB014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
                                                                                  • String ID: ]
                                                                                  • API String ID: 3561356813-3352871620
                                                                                  • Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                                  • Instruction ID: 42be106dbd9c84ef89b72d2a7cebcbc0e075e1c2ce211e4897797b4d6bb5cc54
                                                                                  • Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                                  • Instruction Fuzzy Hash: 58116321B0D68355FA64AB21E65437A5291AF88BC0F280034DE5E87B9DEF3CFC059600
                                                                                  Function 00007FF600FEAE1C Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$DialogDispatchPeekTranslate
                                                                                  • String ID:
                                                                                  • API String ID: 1266772231-0
                                                                                  • Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                                  • Instruction ID: 375fe74a2c62a1e8c2a24bbe604f3499f058a34fd5268f483872852d190d7f25
                                                                                  • Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                                  • Instruction Fuzzy Hash: 11F0FF36B3858292FB509B21E895A762361FFD0B05FA45431E98FC2954DF3CE908CB04
                                                                                  Function 00007FF600FE91E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                  • String ID: EDIT
                                                                                  • API String ID: 4243998846-3080729518
                                                                                  • Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                                  • Instruction ID: e4f0631737424c10aac76aa74573020eb1074a79519cc38caf46945040183f77
                                                                                  • Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                                  • Instruction Fuzzy Hash: 8D018161B1CB8791FF209B21E8103F66390BF98744FA40031CD8E87798EE7CE149D650
                                                                                  Function 00007FF600FD2CE0 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 4099 7ff600fd2ce0-7ff600fd2d0a 4100 7ff600fd2d13-7ff600fd2d1b 4099->4100 4101 7ff600fd2d0c-7ff600fd2d0e 4099->4101 4103 7ff600fd2d2b 4100->4103 4104 7ff600fd2d1d-7ff600fd2d28 GetStdHandle 4100->4104 4102 7ff600fd2ea9-7ff600fd2ec4 call 7ff600ff2320 4101->4102 4106 7ff600fd2d31-7ff600fd2d3d 4103->4106 4104->4103 4108 7ff600fd2d3f-7ff600fd2d44 4106->4108 4109 7ff600fd2d86-7ff600fd2da2 WriteFile 4106->4109 4110 7ff600fd2daf-7ff600fd2db3 4108->4110 4111 7ff600fd2d46-7ff600fd2d7a WriteFile 4108->4111 4112 7ff600fd2da6-7ff600fd2da9 4109->4112 4113 7ff600fd2ea2-7ff600fd2ea6 4110->4113 4114 7ff600fd2db9-7ff600fd2dbd 4110->4114 4111->4112 4115 7ff600fd2d7c-7ff600fd2d82 4111->4115 4112->4110 4112->4113 4113->4102 4114->4113 4116 7ff600fd2dc3-7ff600fd2dd8 call 7ff600fcb4f8 4114->4116 4115->4111 4117 7ff600fd2d84 4115->4117 4120 7ff600fd2e1e-7ff600fd2e6d call 7ff600ff797c call 7ff600fc129c call 7ff600fcbca8 4116->4120 4121 7ff600fd2dda-7ff600fd2de1 4116->4121 4117->4112 4120->4113 4132 7ff600fd2e6f-7ff600fd2e86 4120->4132 4121->4106 4122 7ff600fd2de7-7ff600fd2de9 4121->4122 4122->4106 4124 7ff600fd2def-7ff600fd2e19 4122->4124 4124->4106 4133 7ff600fd2e9d call 7ff600ff220c 4132->4133 4134 7ff600fd2e88-7ff600fd2e9b 4132->4134 4133->4113 4134->4133 4135 7ff600fd2ec5-7ff600fd2ecb call 7ff600ff7904 4134->4135
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileWrite$Handle
                                                                                  • String ID:
                                                                                  • API String ID: 4209713984-0
                                                                                  • Opcode ID: 95d7fd16c8d926fcf5da752308064adee905e679e75eda990adbc5c1a1c917ca
                                                                                  • Instruction ID: 7c5a9dc40aacb9a18e08501ca136c9cde2a38328ec85d7abebd80c482d99f58e
                                                                                  • Opcode Fuzzy Hash: 95d7fd16c8d926fcf5da752308064adee905e679e75eda990adbc5c1a1c917ca
                                                                                  • Instruction Fuzzy Hash: B2512622B1CA42A2FB91CB25D44477A6322FF94B90F644132EE4E87B98DF3CE485D340
                                                                                  Function 00007FF600FF03E0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$TextWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2912839123-0
                                                                                  • Opcode ID: 34b731ebe9af3ba17aed105ea6cd5e0b01c3b8b12ff97f26908d03dc914b4b53
                                                                                  • Instruction ID: 38a3b1cd1e71cad170e935da1052e6443f869e5cb9fb158e65cd837a0b802b7e
                                                                                  • Opcode Fuzzy Hash: 34b731ebe9af3ba17aed105ea6cd5e0b01c3b8b12ff97f26908d03dc914b4b53
                                                                                  • Instruction Fuzzy Hash: C451D162F58752A4FF009BA4D8452BD2326BF44BA4F684632DE1C97BDADFACE440D304
                                                                                  Function 00007FF600FD3684 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 2359106489-0
                                                                                  • Opcode ID: 9d9d2995018f7f6f648ac6a5d97c5d37007cde808aee1d861722df7aa9659c46
                                                                                  • Instruction ID: 8c50e094574d60efd6cbd32698af117ce57c9c2367121af70e32b9649048c21f
                                                                                  • Opcode Fuzzy Hash: 9d9d2995018f7f6f648ac6a5d97c5d37007cde808aee1d861722df7aa9659c46
                                                                                  • Instruction Fuzzy Hash: 0131A4A2A0CA82A1EB609B25A44427D6352FF897A0F744232EF9DC37DDDF3CE5459601
                                                                                  Function 00007FF600FF2D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                  • String ID:
                                                                                  • API String ID: 1452418845-0
                                                                                  • Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                                  • Instruction ID: 65f66b193429c96397c584b16527210f00c5e9fd992c80eab4a0250736c9a7a8
                                                                                  • Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                                  • Instruction Fuzzy Hash: CD315E21E8C20762FBA5AB6495123F92299AF40784F744435EE4ECB3DFDE2CB905E345
                                                                                  Function 00007FF600FD2320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$FileHandleRead
                                                                                  • String ID:
                                                                                  • API String ID: 2244327787-0
                                                                                  • Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                                  • Instruction ID: fd47afe261eee950f49c8b194a8444478b0142687f1e99b0f6d247174844d270
                                                                                  • Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                                  • Instruction Fuzzy Hash: 3B218421E0CA4291EBA09F15A40033D63A2FB65B94F344532DE9DC778CCF7CD885A791
                                                                                  Function 00007FF600FDE948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00007FF600FDECD8: ResetEvent.KERNEL32 ref: 00007FF600FDECF1
                                                                                    • Part of subcall function 00007FF600FDECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF600FDED07
                                                                                  • ReleaseSemaphore.KERNEL32 ref: 00007FF600FDE974
                                                                                  • CloseHandle.KERNELBASE ref: 00007FF600FDE993
                                                                                  • DeleteCriticalSection.KERNEL32 ref: 00007FF600FDE9AA
                                                                                  • CloseHandle.KERNEL32 ref: 00007FF600FDE9B7
                                                                                    • Part of subcall function 00007FF600FDEA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF600FDE95F,?,?,?,00007FF600FD463A,?,?,?), ref: 00007FF600FDEA63
                                                                                    • Part of subcall function 00007FF600FDEA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF600FDE95F,?,?,?,00007FF600FD463A,?,?,?), ref: 00007FF600FDEA6E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                  • String ID:
                                                                                  • API String ID: 502429940-0
                                                                                  • Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                                  • Instruction ID: c4dcfdfc5676dd1bd2df5f8f67b0551c58d48af34df1855a97cff2253d791d79
                                                                                  • Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                                  • Instruction Fuzzy Hash: 60014432A19A41E2E745EF21D55426D7331FB887C0F108032EB9E47615CF39E5B4C744
                                                                                  Function 00007FF600FDEAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Thread$CreatePriority
                                                                                  • String ID: CreateThread failed
                                                                                  • API String ID: 2610526550-3849766595
                                                                                  • Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                                  • Instruction ID: 1e68511fba2bf161cddc9694c499f9f1860b8b096ad2f1d394dad663672befcc
                                                                                  • Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                                  • Instruction Fuzzy Hash: 46116D31A0CA4291EB01EB10E8422B97361FB84788F648532EE8E8776DDF3CE985C744
                                                                                  Function 00007FF600FE946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: DirectoryInitializeMallocSystem
                                                                                  • String ID: riched20.dll
                                                                                  • API String ID: 174490985-3360196438
                                                                                  • Opcode ID: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
                                                                                  • Instruction ID: 9ebecf41b70fec617ee3f588d6de8ed72519c1415cbbf5d72a3bfb7df5caec34
                                                                                  • Opcode Fuzzy Hash: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
                                                                                  • Instruction Fuzzy Hash: 68F04F71658A8182EB419F20F4541AAB3A0FF88754F604135EACE82754DF7CD549CB04
                                                                                  Function 00007FF600FE095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00007FF600FE853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF600FE856C
                                                                                    • Part of subcall function 00007FF600FDAAE0: LoadStringW.USER32 ref: 00007FF600FDAB67
                                                                                    • Part of subcall function 00007FF600FDAAE0: LoadStringW.USER32 ref: 00007FF600FDAB80
                                                                                    • Part of subcall function 00007FF600FC1FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600FC1FFB
                                                                                    • Part of subcall function 00007FF600FC129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF600FC1396
                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600FF01BB
                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600FF01C1
                                                                                  • SendDlgItemMessageW.USER32 ref: 00007FF600FF01F2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
                                                                                  • String ID:
                                                                                  • API String ID: 3106221260-0
                                                                                  • Opcode ID: 7d1f69911a00d0741de56b49c262a8841e6eb375053cbff927e1aaae2ee712c8
                                                                                  • Instruction ID: 294d47674427a71722b232b1fc012c33f389e6d0a985d77b1ee69b3a01c8c7f5
                                                                                  • Opcode Fuzzy Hash: 7d1f69911a00d0741de56b49c262a8841e6eb375053cbff927e1aaae2ee712c8
                                                                                  • Instruction Fuzzy Hash: 1751D262F4D642A6FB10ABA5D4412FD2362AF85BC8F600636DE4D977DEDE2CE500D340
                                                                                  Function 00007FF600FC1744 Relevance: 4.6, APIs: 3, Instructions: 118COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::cancel_current_task__std_exception_copy_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 2371198981-0
                                                                                  • Opcode ID: 033d1f2373e289fcea4600ec5fd98b8e281c8f6be3c6486de31ae0a2ea98365b
                                                                                  • Instruction ID: cec949af41015b7012157719ff98acbc5fee724d5a649cb49f4c573a8f939f75
                                                                                  • Opcode Fuzzy Hash: 033d1f2373e289fcea4600ec5fd98b8e281c8f6be3c6486de31ae0a2ea98365b
                                                                                  • Instruction Fuzzy Hash: C2412261B0C645A1EA04DB12E641679A365FF05BE0F644A31DE7C87BDAEF7CE0A1D304
                                                                                  Function 00007FF600FD2134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFile$_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 2272807158-0
                                                                                  • Opcode ID: 4ce248ffffd21e537046429b603db88a9fd2a3d13b10b45fb751dcef003d6319
                                                                                  • Instruction ID: 6e487e90591108c7e12ffaececb93cb0f7419ea1c562ff01d5193cdfc5e296af
                                                                                  • Opcode Fuzzy Hash: 4ce248ffffd21e537046429b603db88a9fd2a3d13b10b45fb751dcef003d6319
                                                                                  • Instruction Fuzzy Hash: CC41B172A0C78292EB608B15E44426973A2FB957B4F205336EFAD43BD9CF3CE4919744
                                                                                  Function 00007FF600FC23F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 2176759853-0
                                                                                  • Opcode ID: 324ad9725680782466c8b9226039195d64c3332d7d8035b24254b52cca95445d
                                                                                  • Instruction ID: fa3aac84ba049256a147ca964ac989948286f03053954fed23a5ea7754a85f75
                                                                                  • Opcode Fuzzy Hash: 324ad9725680782466c8b9226039195d64c3332d7d8035b24254b52cca95445d
                                                                                  • Instruction Fuzzy Hash: DC21A062A2CB8182EA249B65E94157AB364FB89BD0F244235EFDD43B99CF3CD190C740
                                                                                  Function 00007FF600FE1F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: std::bad_alloc::bad_alloc
                                                                                  • String ID:
                                                                                  • API String ID: 1875163511-0
                                                                                  • Opcode ID: 5d5f35b7d0b1a8ec44982466ed86c266d3277025963138b758b7e20b27780546
                                                                                  • Instruction ID: 4560b2dbf878369ef852e1e9e69f64b7f259a424a105eeb1372965350926e40a
                                                                                  • Opcode Fuzzy Hash: 5d5f35b7d0b1a8ec44982466ed86c266d3277025963138b758b7e20b27780546
                                                                                  • Instruction Fuzzy Hash: 62317022A0D6C661FB649714E4443B963A4FB40B84F644532DB8C877EDEF7CEA86D301
                                                                                  Function 00007FF600FD3D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 1203560049-0
                                                                                  • Opcode ID: 523e4a483c86c9ac9ee543cf6c476d9bf2e9d6353514affc3e0f4067b8c7bc61
                                                                                  • Instruction ID: bcb45812c59172312a8df0d11e7ffa56a9fb1f4990db80945fd90b6e194cb135
                                                                                  • Opcode Fuzzy Hash: 523e4a483c86c9ac9ee543cf6c476d9bf2e9d6353514affc3e0f4067b8c7bc61
                                                                                  • Instruction Fuzzy Hash: CF21C522A1CB8591EA209F25E44527A6362FFC8B94F205231EFDE837D9DF3CD640DA04
                                                                                  Function 00007FF600FD31BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3118131910-0
                                                                                  • Opcode ID: 9e0f12d03b62ccef14e62e4bf3878a3457daa81ed2db8d115c48a0739d4b379d
                                                                                  • Instruction ID: efd949955f4c18fdf819859662d442b76fa3fff83a378b3f26a90c83dc63f370
                                                                                  • Opcode Fuzzy Hash: 9e0f12d03b62ccef14e62e4bf3878a3457daa81ed2db8d115c48a0739d4b379d
                                                                                  • Instruction Fuzzy Hash: 8021B622E1CB8191EA108B25E44522E7361FF84B94F605231EFDE83B99DF3CD240D600
                                                                                  Function 00007FF600FD32BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 1203560049-0
                                                                                  • Opcode ID: d981565e32c06465bb9ca9e6032df0ff87469bcd01ee0110978b6e45bf249536
                                                                                  • Instruction ID: 179fa7efefa172baa8dcfa9f71985975ef7c0d54747c194815b9a9831d008929
                                                                                  • Opcode Fuzzy Hash: d981565e32c06465bb9ca9e6032df0ff87469bcd01ee0110978b6e45bf249536
                                                                                  • Instruction Fuzzy Hash: A8217162A1CB8191EA509B29E4441297361FB88BA4F604332EFDE83BE9DF3CE541C604
                                                                                  Function 00007FF600FFBF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                  • String ID:
                                                                                  • API String ID: 1703294689-0
                                                                                  • Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                                  • Instruction ID: d59406c1d9729f133317df87425aa108fa7ede11ea388566b8dab09b62190cc2
                                                                                  • Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                                  • Instruction Fuzzy Hash: B2E01A24F4870656EB546F619C95379235A6F88741F209438DD4A8339ACE3DA4098600
                                                                                  Function 00007FF600FCF578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600FCF895
                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600FCF89B
                                                                                    • Part of subcall function 00007FF600FD3EC8: FindClose.KERNELBASE(?,?,00000000,00007FF600FE0811), ref: 00007FF600FD3EFD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$CloseFind
                                                                                  • String ID:
                                                                                  • API String ID: 3587649625-0
                                                                                  • Opcode ID: c851e9ba04b89524686dcd5c2666f728f32a2a2025563ce38f6b7d0a4701346e
                                                                                  • Instruction ID: b2d08d2f5f10c4fcc5e730e02a10b089db209ba9346dd0af0708ee41dcae852c
                                                                                  • Opcode Fuzzy Hash: c851e9ba04b89524686dcd5c2666f728f32a2a2025563ce38f6b7d0a4701346e
                                                                                  • Instruction Fuzzy Hash: 3B918C72A1CB81A0EB10DB24D5456ADA362FB84798FA04536EE4C87BEDDF7CD589D300
                                                                                  Function 00007FF600FC3904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: 8a0d7ffcdee688d7cb22665fdd22367b6c642a36889c5767c2428ca75abdd5ff
                                                                                  • Instruction ID: 6f41362f9d8f942b87fd8349d9d07abfd5c57ba830a785fc0d4546a3d236e623
                                                                                  • Opcode Fuzzy Hash: 8a0d7ffcdee688d7cb22665fdd22367b6c642a36889c5767c2428ca75abdd5ff
                                                                                  • Instruction Fuzzy Hash: A341EF22F1C652A4FB00DBB1D542ABC2321AF45BD8F244635DE5DA7B8EDE7CE182D200
                                                                                  Function 00007FF600FD2778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF600FD274D), ref: 00007FF600FD28A9
                                                                                  • GetLastError.KERNEL32(?,00007FF600FD274D), ref: 00007FF600FD28B8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFileLastPointer
                                                                                  • String ID:
                                                                                  • API String ID: 2976181284-0
                                                                                  • Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                                  • Instruction ID: cf0eb26fcd0affed1db81c38a0853613dc0dda5172be798713d28f9e04be04de
                                                                                  • Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                                  • Instruction Fuzzy Hash: 0331C332F1DA5292EFA04B2AD9406792351AF24BD4F244133DE5D877E8DF3DE482B680
                                                                                  Function 00007FF600FC22BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Item_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 1746051919-0
                                                                                  • Opcode ID: 8763c555b957396376e96df864685bb2527d49eefc22d4d720e740779d29c564
                                                                                  • Instruction ID: 67dc54bc88b514017ec6e0594d6779377f7a6a93525432917bc49df900bd316e
                                                                                  • Opcode Fuzzy Hash: 8763c555b957396376e96df864685bb2527d49eefc22d4d720e740779d29c564
                                                                                  • Instruction Fuzzy Hash: B931D022A1C78192EA509B29E54577EB360FF84790F644231EF9D87B99DF7CE140D704
                                                                                  Function 00007FF600FD2AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$BuffersFlushTime
                                                                                  • String ID:
                                                                                  • API String ID: 1392018926-0
                                                                                  • Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                                  • Instruction ID: a77b308fc6538ef9edb6aecaecedc7903e7599e92b5598f76ba40008eb02a137
                                                                                  • Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                                  • Instruction Fuzzy Hash: AA21C122F0DB4275EAA29F11D4047BA5792AF92798F354033DE4C47399EE7CD586E340
                                                                                  Function 00007FF600FDAAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: LoadString
                                                                                  • String ID:
                                                                                  • API String ID: 2948472770-0
                                                                                  • Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                                  • Instruction ID: afe1770e3106c1d1301cc015d9f09356d783a1e7db2337c0db3d643467607466
                                                                                  • Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                                  • Instruction Fuzzy Hash: 5D118271B0874189EB008F16E840169B7A1BF89FC0FA44536DE4EE3728DF7CE9418748
                                                                                  Function 00007FF600FD2BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFileLastPointer
                                                                                  • String ID:
                                                                                  • API String ID: 2976181284-0
                                                                                  • Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                                  • Instruction ID: 44f17b2b9378070127f27cf1df6ec4c32e45db54c1b64a3879231d14c77660ea
                                                                                  • Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                                  • Instruction Fuzzy Hash: E2119021A1C64191EBA08B25E88126D7361FB54BB4F644333EE6D833D8CF3CE982D340
                                                                                  Function 00007FF600FC255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemRectTextWindow$Clientswprintf
                                                                                  • String ID:
                                                                                  • API String ID: 3322643685-0
                                                                                  • Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                                  • Instruction ID: ed907383437398bd2c9d4ffda6eb81d03170298cbd5579c5f1a76e2bcb355c71
                                                                                  • Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                                  • Instruction Fuzzy Hash: D701D420E0D34A51FF8D9752A25967A1391AF86744F3C0831DC8E873DDDE2DE884D304
                                                                                  Function 00007FF600FDEB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,00007FF600FDEBAD,?,?,?,?,00007FF600FD5752,?,?,?,00007FF600FD56DE), ref: 00007FF600FDEB5C
                                                                                  • GetProcessAffinityMask.KERNEL32 ref: 00007FF600FDEB6F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$AffinityCurrentMask
                                                                                  • String ID:
                                                                                  • API String ID: 1231390398-0
                                                                                  • Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                                  • Instruction ID: 71bc338982b77e6bc4e4ffb245a185dbfbdc23cd6bc6d6c0ca8752d0a7d15d1c
                                                                                  • Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                                  • Instruction Fuzzy Hash: 72E02B61F1894646DF499F55C4504E97392BFC8B40F948037E60BC3718DE2CE1458B00
                                                                                  Function 00007FF600FF21D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                                                  • String ID:
                                                                                  • API String ID: 1173176844-0
                                                                                  • Opcode ID: c507040392a2377e4895e65205c3b95c5fe2146e3485fc393c80d7c2ffdcaf26
                                                                                  • Instruction ID: e6b3435eb0fa99441b3fde6dc72e7b93034fba20eb41083a31a05a5b4f3f3ccb
                                                                                  • Opcode Fuzzy Hash: c507040392a2377e4895e65205c3b95c5fe2146e3485fc393c80d7c2ffdcaf26
                                                                                  • Instruction Fuzzy Hash: C2E0EC40E9E10761F9A8626118261B401581F59370E781B30DE3E8B3CEAE1CB595F114
                                                                                  Function 00007FF600FFD90C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 485612231-0
                                                                                  • Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                                  • Instruction ID: 6ae6ce96fc42de83d4eba8418862434f49d7d7368006cd435fb6892ef9988d91
                                                                                  • Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                                  • Instruction Fuzzy Hash: BDE0C260F8D10352FF19AFF298451B813D66F95B54F288034CD4EC7356EE3CA481D604
                                                                                  Function 00007FF600FC33E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: af39ee99099a55e795e80951e1502b6695bf377bb292aa42fe2ae5656993095e
                                                                                  • Instruction ID: 1a1d43aca43a5da059e5f99eb48be46bb6cad182f709c26c65345055364b6597
                                                                                  • Opcode Fuzzy Hash: af39ee99099a55e795e80951e1502b6695bf377bb292aa42fe2ae5656993095e
                                                                                  • Instruction Fuzzy Hash: 56D1CA72B0C68265EF688B2597456B877A1FF05BC4F248835CF5D877A9CF38E560A700
                                                                                  Function 00007FF600FD5294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: CompareString_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 1017591355-0
                                                                                  • Opcode ID: fa91c3799828e3c7186940546e344b2356dc381c1e63a9425ea543ecc2eeea66
                                                                                  • Instruction ID: ede51aea3346bcd9eb28c33fee04a163d9aa2900e1885824f2b4a80c4a732fd5
                                                                                  • Opcode Fuzzy Hash: fa91c3799828e3c7186940546e344b2356dc381c1e63a9425ea543ecc2eeea66
                                                                                  • Instruction Fuzzy Hash: FD61B451E0CA47A1FA64DA25942527A6293AF46FD4F344133DE4DC7BCDEE7CE481A201
                                                                                  Function 00007FF600FE1870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00007FF600FDE948: ReleaseSemaphore.KERNEL32 ref: 00007FF600FDE974
                                                                                    • Part of subcall function 00007FF600FDE948: CloseHandle.KERNELBASE ref: 00007FF600FDE993
                                                                                    • Part of subcall function 00007FF600FDE948: DeleteCriticalSection.KERNEL32 ref: 00007FF600FDE9AA
                                                                                    • Part of subcall function 00007FF600FDE948: CloseHandle.KERNEL32 ref: 00007FF600FDE9B7
                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600FE1ACB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 904680172-0
                                                                                  • Opcode ID: f81b05313dfd5b5a73717daa6d384c08c9459244a7d30a6ec5ae517113eafb45
                                                                                  • Instruction ID: 433e2098bf7faa959407dc1585973a68d67bb78229a219a4ae8d79a38eeb5e18
                                                                                  • Opcode Fuzzy Hash: f81b05313dfd5b5a73717daa6d384c08c9459244a7d30a6ec5ae517113eafb45
                                                                                  • Instruction Fuzzy Hash: 66615F72B1A685A2EE08DB66D5540BC7369FF40F90B644236DB2D47B8ADF3CE461D300
                                                                                  Function 00007FF600FCEC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: d7b1a399856acf99fdb305a598bd345408e38bb8b7611d952776f17d246575aa
                                                                                  • Instruction ID: 8e551c74f46cb583878ee5ed346bfd49ff0e7aa10ff2862a4b515a9f6bedccba
                                                                                  • Opcode Fuzzy Hash: d7b1a399856acf99fdb305a598bd345408e38bb8b7611d952776f17d246575aa
                                                                                  • Instruction Fuzzy Hash: 7551E062A0C682A0FA14AB25E5467F92751FB85BC4F680532EF4D873DACF3DE485D300
                                                                                  Function 00007FF600FCE7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00007FF600FD3EC8: FindClose.KERNELBASE(?,?,00000000,00007FF600FE0811), ref: 00007FF600FD3EFD
                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600FCE993
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 1011579015-0
                                                                                  • Opcode ID: e982e273b1865209a75a3cfd535ad9023e3388265a11ab7418cbf5dec2d39955
                                                                                  • Instruction ID: 7ca1c27ade2cbc99738022d20d430962bb791f4adaddcfe25b978dd20b3ee49c
                                                                                  • Opcode Fuzzy Hash: e982e273b1865209a75a3cfd535ad9023e3388265a11ab7418cbf5dec2d39955
                                                                                  • Instruction Fuzzy Hash: A0515A22A1C686A1FB609F24D58676D7365FF84B84F640536EE8D87BA9CF3CE441D310
                                                                                  Function 00007FF600FD1794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: 60c8fe66f84878668f1e37175277eb608c06b9d2d44befc405cc34de4c74e42f
                                                                                  • Instruction ID: 73ef2b54598e07f9ec4a48fe12044370ab203f419c13b5da774eac6d194d1757
                                                                                  • Opcode Fuzzy Hash: 60c8fe66f84878668f1e37175277eb608c06b9d2d44befc405cc34de4c74e42f
                                                                                  • Instruction Fuzzy Hash: BE41D762B1CA8162EB14DA17A640379A256FF44FC0F648536EE4C87F5EDF7CD5919300
                                                                                  Function 00007FF600FD2F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: c12ddbc590a903591de313708f19a8cb728d3d3f41945339a7b2dbf0642da7e2
                                                                                  • Instruction ID: 1a458325fd6c9b1202ab3c1f5c9b55a45d3427045af670f038ee3ccd8c5d0675
                                                                                  • Opcode Fuzzy Hash: c12ddbc590a903591de313708f19a8cb728d3d3f41945339a7b2dbf0642da7e2
                                                                                  • Instruction Fuzzy Hash: 7441FE62A0CB0291EE509B29E54937923A2EB95BD8F240136EF4D877DDDF3DE580D640
                                                                                  Function 00007FF600FFBDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleModule$AddressFreeLibraryProc
                                                                                  • String ID:
                                                                                  • API String ID: 3947729631-0
                                                                                  • Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                                  • Instruction ID: ee9408dc8763ef988990a6ca3c04975ec0d3bce636d3057b6fbb673f984030b1
                                                                                  • Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                                  • Instruction Fuzzy Hash: 5E41BF22E5CA1292FB24AB11D8501B823AABF94B40F748436DE4EC77E9DF3DE845D740
                                                                                  Function 00007FF600FC129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
                                                                                  • String ID:
                                                                                  • API String ID: 680105476-0
                                                                                  • Opcode ID: c0d312b4e0c8f4018cd2918558ed466c16d78a5e43cb187cca2cc725d26fc057
                                                                                  • Instruction ID: e5cafe2ff2ab7534470419b885a9fed5f0956f8e7a9a8f228b0c64e015f999f6
                                                                                  • Opcode Fuzzy Hash: c0d312b4e0c8f4018cd2918558ed466c16d78a5e43cb187cca2cc725d26fc057
                                                                                  • Instruction Fuzzy Hash: 4321B222A0C391A5EA149F51A6016796254FF06BF4F780F30DE3D87BCADE7CE061A344
                                                                                  Function 00007FF60100124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                  • String ID:
                                                                                  • API String ID: 3215553584-0
                                                                                  • Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
                                                                                  • Instruction ID: 8f350a25f42acba1ccf9e2f146c2b795ef588f638359e66c4e02eb356a963ac3
                                                                                  • Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
                                                                                  • Instruction Fuzzy Hash: F0111372A1C68286E7219F90A48067972A9FF50384F650535EACEC7B96DF3CE860C748
                                                                                  Function 00007FF600FC3AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: dd833eb704b03c62a36fea145c0b0b4abee32047d89ef2e694e61e0216d7ee09
                                                                                  • Instruction ID: 228b35591cab03fda474648cb5d30f7ec7ffe3641d1aa945086c9fb738076d3d
                                                                                  • Opcode Fuzzy Hash: dd833eb704b03c62a36fea145c0b0b4abee32047d89ef2e694e61e0216d7ee09
                                                                                  • Instruction Fuzzy Hash: 5D01C462E1CB8591EA119728E4422297361FFC9794F609231EE9C47BA9DF6CE1408704
                                                                                  Function 00007FF600FF1558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00007FF600FF1604: GetModuleHandleW.KERNEL32(?,?,?,00007FF600FF1573,?,?,?,00007FF600FF192A), ref: 00007FF600FF162B
                                                                                  • DloadProtectSection.DELAYIMP ref: 00007FF600FF15C9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: DloadHandleModuleProtectSection
                                                                                  • String ID:
                                                                                  • API String ID: 2883838935-0
                                                                                  • Opcode ID: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
                                                                                  • Instruction ID: ddb7cdd331634148433e9b332c3b4000a3c23e07f7d222b26e3844c140948c27
                                                                                  • Opcode Fuzzy Hash: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
                                                                                  • Instruction Fuzzy Hash: D0110564E4C61791FB619F05A8803B033A4BF58348F388036CD8EC73A9EF3CA885D608
                                                                                  Function 00007FF600FD3EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00007FF600FD40BC: FindFirstFileW.KERNELBASE ref: 00007FF600FD410B
                                                                                    • Part of subcall function 00007FF600FD40BC: FindFirstFileW.KERNEL32 ref: 00007FF600FD415E
                                                                                    • Part of subcall function 00007FF600FD40BC: GetLastError.KERNEL32 ref: 00007FF600FD41AF
                                                                                  • FindClose.KERNELBASE(?,?,00000000,00007FF600FE0811), ref: 00007FF600FD3EFD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$FileFirst$CloseErrorLast
                                                                                  • String ID:
                                                                                  • API String ID: 1464966427-0
                                                                                  • Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
                                                                                  • Instruction ID: 1482a9882442069aab813fb0f9da0c1f61454805f65fb1ebc426714a38a40887
                                                                                  • Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
                                                                                  • Instruction Fuzzy Hash: 37F0F46290C28191DB149F70A10017833619B05BB4F241336EF3D473CBCE28D444D746
                                                                                  Function 00007FF600FC1FA0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: 23cadb91fec3bdd2c960eb1b128b5d9638ce6be25c9e1389157b11379c408e93
                                                                                  • Instruction ID: 542430dc62243140c84b20f6d6e1d468f9658b11dd5f39b38485d366e35ac988
                                                                                  • Opcode Fuzzy Hash: 23cadb91fec3bdd2c960eb1b128b5d9638ce6be25c9e1389157b11379c408e93
                                                                                  • Instruction Fuzzy Hash: 43F0BEA1B1868990EE189B69C08937C2362EF45B88F600835CB4C8BB5ADF6CE490C340
                                                                                  Function 00007FF600FD273C Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: File
                                                                                  • String ID:
                                                                                  • API String ID: 749574446-0
                                                                                  • Opcode ID: 182d9e1e92039184aab4081fafd09b1cf385b4bd914a3c272b872952a66d9790
                                                                                  • Instruction ID: a66b5d1257024c3b4a4765aa76bc0c9ec3c6e0b438e68d56bf5d18ba0b8a6109
                                                                                  • Opcode Fuzzy Hash: 182d9e1e92039184aab4081fafd09b1cf385b4bd914a3c272b872952a66d9790
                                                                                  • Instruction Fuzzy Hash: 11E0C212F24A1582EF74AF3AC8426782321FF8CF85F585032CE4D87325CE29C4818A44
                                                                                  Function 00007FF600FD2490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileType
                                                                                  • String ID:
                                                                                  • API String ID: 3081899298-0
                                                                                  • Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                                  • Instruction ID: 66e8f548c1a1cdd33e36bd65e457c435774b63b473fec7591b2b7256106df1c1
                                                                                  • Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                                  • Instruction Fuzzy Hash: E8D01212D0D44192DE90DB35985103C2351AFA3739FB44732DE3EC27E2CE1DA496B355
                                                                                  Function 00007FF600FD7FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentDirectory
                                                                                  • String ID:
                                                                                  • API String ID: 1611563598-0
                                                                                  • Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                                  • Instruction ID: ab5a465946bd2587a4e0dc2af5c467757dd11b43b20509574e9c1e9801ff8f36
                                                                                  • Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                                  • Instruction Fuzzy Hash: 06C04C21F1D602C1DB18AB26C8C911813A5BB54B05F758036D64DC6660DE2DD5EAA789
                                                                                  Function 00007FF600FFFA04 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocHeap
                                                                                  • String ID:
                                                                                  • API String ID: 4292702814-0
                                                                                  • Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
                                                                                  • Instruction ID: 4e95bb9b3067767877704991bf70127b24e264a000afc1b300eb4fb066ba0fa9
                                                                                  • Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
                                                                                  • Instruction Fuzzy Hash: C4F0B451F8D70765FE545B6199113B412995F84F84F3C6430CD0ECB3C9EE2CE689E210
                                                                                  Function 00007FF600FFD94C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocHeap
                                                                                  • String ID:
                                                                                  • API String ID: 4292702814-0
                                                                                  • Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                                  • Instruction ID: 2b94c4d0c61d489993c70876e483601d154433800dc8219767cb152f513c6a77
                                                                                  • Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                                  • Instruction Fuzzy Hash: 2AF08C50F8D20764FF246BF158002B4229A5F847A4F285A30DD6EC73C9DEACA480E211
                                                                                  Function 00007FF600FD20D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandle
                                                                                  • String ID:
                                                                                  • API String ID: 2962429428-0
                                                                                  • Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                                  • Instruction ID: 9503d0ca1c187937fa3395a638fe9fb2990126971681c4d0b00ac4db2ecdd9ab
                                                                                  • Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                                  • Instruction Fuzzy Hash: 5CF0CD21A0C64255FB648F30D1413792761EB14B79F688336EF7D822DCCF28D895D740

                                                                                  Non-executed Functions

                                                                                  Function 00007FF600FCC2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
                                                                                  • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                  • API String ID: 2659423929-3508440684
                                                                                  • Opcode ID: 133043678a36d966ba880c912d6856c5696a7c6c433e50d223eb52f27bd95b56
                                                                                  • Instruction ID: 4788d4256893741de8b32d905d875900d85d70d312cd2adef36194e90e1a1e08
                                                                                  • Opcode Fuzzy Hash: 133043678a36d966ba880c912d6856c5696a7c6c433e50d223eb52f27bd95b56
                                                                                  • Instruction Fuzzy Hash: C062BB62F0C682A5FB00DB74D5466BD2361AF857A4F204632DE6D93BEADF38E185D340
                                                                                  Function 00007FF600FDF180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
                                                                                  • String ID: %ls$%s: %s
                                                                                  • API String ID: 2539828978-2259941744
                                                                                  • Opcode ID: 945c123c5738f6103966ecffbffa27c83b3bf35cf43ea0aac1725ee40d95c140
                                                                                  • Instruction ID: 61a27be70f3b63be4e1a5b083897defda9a458513c0ba9eafabe0be4172e2430
                                                                                  • Opcode Fuzzy Hash: 945c123c5738f6103966ecffbffa27c83b3bf35cf43ea0aac1725ee40d95c140
                                                                                  • Instruction Fuzzy Hash: DFB29962A5C68291EA10AB25E5551BEA311FFC67D0F204336EF9D837EEEE6CE540D304
                                                                                  Function 00007FF601002550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfomemcpy_s
                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                  • API String ID: 1759834784-2761157908
                                                                                  • Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
                                                                                  • Instruction ID: bd9dab2f537336351e1179701cd91330717b5e1f58af5d496a21e90f689cfd05
                                                                                  • Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
                                                                                  • Instruction Fuzzy Hash: BDB2F572A082828FE7678E69D4447FD37A5FB84788F605135DA4B9BB88DF38E544CB04
                                                                                  Function 00007FF600FD1A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
                                                                                  • String ID: rtmp
                                                                                  • API String ID: 3587137053-870060881
                                                                                  • Opcode ID: 3dcc5890c2e22e4a5feb2ae31f1f4ae3f3b67a4ee4a7a529d594af89e49fc87b
                                                                                  • Instruction ID: bc8e45892bea12b2f4706e370852c68459591acf58dc3bb9e95a7f81c98b4f07
                                                                                  • Opcode Fuzzy Hash: 3dcc5890c2e22e4a5feb2ae31f1f4ae3f3b67a4ee4a7a529d594af89e49fc87b
                                                                                  • Instruction Fuzzy Hash: 95F1AE22B1CA82A1EB10DB65D4801FE6762FB85784F601536EE4D87BADDF3CE584D740
                                                                                  Function 00007FF600FD5B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: FullNamePath_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 1693479884-0
                                                                                  • Opcode ID: 35b10314ce3b8e4c64707b679fc70269f3b9094245ec8e91ba41ccecbc270bb7
                                                                                  • Instruction ID: 7b85e7bd4c03589cfdd3abb5609b6c4e65273030222dc9c81cfbd96262385338
                                                                                  • Opcode Fuzzy Hash: 35b10314ce3b8e4c64707b679fc70269f3b9094245ec8e91ba41ccecbc270bb7
                                                                                  • Instruction Fuzzy Hash: 76A1A262F28B5194FF109BB998445BC2362AF85FE4B244236DE6D97BCDDE7CE081D204
                                                                                  Function 00007FF600FF3170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 3140674995-0
                                                                                  • Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                                  • Instruction ID: 0e00705124af4a9a2a2551f79dde006ea8d8315ff010e27bb444c0e6a5423c2b
                                                                                  • Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                                  • Instruction Fuzzy Hash: 6D315272A09B819AEB649F60E8503FD7364FB84744F54843ADA8E87B98DF38D648C714
                                                                                  Function 00007FF600FF76D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 1239891234-0
                                                                                  • Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                                  • Instruction ID: 8f050d228de1c91f2e0dd5457a5aee0387949395c49ee350abe8d125fc76856f
                                                                                  • Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                                  • Instruction Fuzzy Hash: 89316132A18B8195EB649F25E8402BE73A4FB88754F644136EE8D83B99DF3CD545CB00
                                                                                  Function 00007FF600FC1AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: c264b490cac148f64dd39c131735208f64494c1dc21ecf378d5d3bcbd534f5da
                                                                                  • Instruction ID: f8026b2dba7afc62846500ceca115c231a43274b0bffc342fa9364150d9e7b44
                                                                                  • Opcode Fuzzy Hash: c264b490cac148f64dd39c131735208f64494c1dc21ecf378d5d3bcbd534f5da
                                                                                  • Instruction Fuzzy Hash: 71B1D022B18B86A5EB10AB65D9416FD2361FF8A794F605631EE4D83B9EDF3CE540D300
                                                                                  Function 00007FF600FFFA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _invalid_parameter_noinfo.LIBCMT ref: 00007FF600FFFAC4
                                                                                    • Part of subcall function 00007FF600FF7934: GetCurrentProcess.KERNEL32(00007FF601000CCD), ref: 00007FF600FF7961
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                  • String ID: *?$.
                                                                                  • API String ID: 2518042432-3972193922
                                                                                  • Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                                  • Instruction ID: 64e9186eaf107e7ac79716fdcad661876862a7385c3383c9219bcbca186c721f
                                                                                  • Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                                  • Instruction Fuzzy Hash: E351F362B58B9A51EB10DFA2D8100BC63A8FF88BD8B644531DE1D97B88EE3CD046D300
                                                                                  Function 00007FF601002080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: memcpy_s
                                                                                  • String ID:
                                                                                  • API String ID: 1502251526-0
                                                                                  • Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                  • Instruction ID: c5728f3428ce8cef2ff4d0b6fea16b0de472b14e28d06a7b1ee473151062cbdf
                                                                                  • Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                  • Instruction Fuzzy Hash: 88D1B432B1868687DB35CF15E1886AAB7A1F798784F248134DB8F97B44DE3DE941CB04
                                                                                  Function 00007FF600FCB6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFormatFreeLastLocalMessage
                                                                                  • String ID:
                                                                                  • API String ID: 1365068426-0
                                                                                  • Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                                  • Instruction ID: 9a120fd9f871353eb678ad2ab117dc6944b481af6de4571aeeb20288c0a3a54e
                                                                                  • Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                                  • Instruction Fuzzy Hash: 94011275A0C74292EB509F22B95167AA395FF89BC0F588035EE8E87B49CF3CD5059F04
                                                                                  Function 00007FF600FFFCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: .
                                                                                  • API String ID: 0-248832578
                                                                                  • Opcode ID: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
                                                                                  • Instruction ID: 4b1734936a11705d9bb5a6a66d94ab406e984eb1b5261e459c08b3130c64117e
                                                                                  • Opcode Fuzzy Hash: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
                                                                                  • Instruction Fuzzy Hash: 93312B22B0C69555F7209F36A8047B9BA95BF94BE4F248235DE6C87BDACE3CD505C300
                                                                                  Function 00007FF601005AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionRaise_clrfp
                                                                                  • String ID:
                                                                                  • API String ID: 15204871-0
                                                                                  • Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
                                                                                  • Instruction ID: 553e8fb3406d8d5858300733fc238b28823c924b418b0bfbb95dbb8064938f13
                                                                                  • Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
                                                                                  • Instruction Fuzzy Hash: E0B15F73604B898BEB16CF29C84636C7BA0F744B48F258926DB9E877A4CF39D451CB04
                                                                                  Function 00007FF600FE8DF4 Relevance: 3.2, APIs: 2, Instructions: 186COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ObjectRelease$CapsDevice
                                                                                  • String ID:
                                                                                  • API String ID: 1061551593-0
                                                                                  • Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
                                                                                  • Instruction ID: aa20128147502ab71fcee9219e2cdf09be3b5ab675a71fb21bb29b5ee29772b5
                                                                                  • Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
                                                                                  • Instruction Fuzzy Hash: 2A814B36B08A4586EB20DFAAD8446AC3771FB88B88F204132DE4E97B28DF3DD545C744
                                                                                  Function 00007FF600FEA2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: FormatInfoLocaleNumber
                                                                                  • String ID:
                                                                                  • API String ID: 2169056816-0
                                                                                  • Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                                  • Instruction ID: fb17250e66c9ccce7b4f8fd03b990d894d57075885ad245355eaa52d9e2546c7
                                                                                  • Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                                  • Instruction Fuzzy Hash: 3E117F32A08B8195E7619F11E4103E97370FF88B48F944135DA8E83768EF3CE545C749
                                                                                  Function 00007FF600FD126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00007FF600FD24C0: CreateFileW.KERNELBASE ref: 00007FF600FD259B
                                                                                    • Part of subcall function 00007FF600FD24C0: GetLastError.KERNEL32 ref: 00007FF600FD25AE
                                                                                    • Part of subcall function 00007FF600FD24C0: CreateFileW.KERNEL32 ref: 00007FF600FD260E
                                                                                    • Part of subcall function 00007FF600FD24C0: GetLastError.KERNEL32 ref: 00007FF600FD2617
                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600FD15D0
                                                                                    • Part of subcall function 00007FF600FD3980: MoveFileW.KERNEL32 ref: 00007FF600FD39BD
                                                                                    • Part of subcall function 00007FF600FD3980: MoveFileW.KERNEL32 ref: 00007FF600FD3A34
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 34527147-0
                                                                                  • Opcode ID: 980cd56be866766a23a9553c8d4159ccf1d73d98ddfd7d5c2418f08c88695bde
                                                                                  • Instruction ID: 3202e89e77fb8a4a1eb7b09a7cee23197e1a7281b30f3326ad630d7a4e2697df
                                                                                  • Opcode Fuzzy Hash: 980cd56be866766a23a9553c8d4159ccf1d73d98ddfd7d5c2418f08c88695bde
                                                                                  • Instruction Fuzzy Hash: 1D91D022B1C642A2EB50DB66E4446AE6362FF95BC4F644033EE0D87B99DF3CD545E340
                                                                                  Function 00007FF600FD51A4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Version
                                                                                  • String ID:
                                                                                  • API String ID: 1889659487-0
                                                                                  • Opcode ID: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
                                                                                  • Instruction ID: db8020e57bb0889a7e4512e9926ac62194e3b6ebe28cbcff989e8695c4fb30fb
                                                                                  • Opcode Fuzzy Hash: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
                                                                                  • Instruction Fuzzy Hash: 4A01ED71E0C64287F764CB10E85577533A2BB98714F600235E59EC7798DF3CE5059E04
                                                                                  Function 00007FF600FF8C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                  • String ID: 0
                                                                                  • API String ID: 3215553584-4108050209
                                                                                  • Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
                                                                                  • Instruction ID: d5261abbfade2703c2c86cdf994dbd414cd0cbd36f65466cd91fdb26ce91f67b
                                                                                  • Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
                                                                                  • Instruction Fuzzy Hash: C481F322A5C24266EBA88A25808067D23A8EF517C8F741531DD09DBBDDCF3DE847E740
                                                                                  Function 00007FF600FF89A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                  • String ID: 0
                                                                                  • API String ID: 3215553584-4108050209
                                                                                  • Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                                  • Instruction ID: e63517a6416faf2aae93de6d4ee5d566255de4820833e2837543e455bb35021a
                                                                                  • Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                                  • Instruction Fuzzy Hash: 81710621A8C28276FB688A29504027D6798DF81BC4F381536DE09CB7DECE6DE847F741
                                                                                  Function 00007FF600FDC96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: gj
                                                                                  • API String ID: 0-4203073231
                                                                                  • Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
                                                                                  • Instruction ID: b15ab5945611315982af307c0b727d2fdb8361a7e7457a0fc333d24a7ae667cf
                                                                                  • Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
                                                                                  • Instruction Fuzzy Hash: 4551A0377286909BD724CF25E400A9AB3A5F388758F145126EF8A93B09CF3DE945CF40
                                                                                  Function 00007FF600FFC838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @
                                                                                  • API String ID: 0-2766056989
                                                                                  • Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
                                                                                  • Instruction ID: cd01aabd44bbb497af37f88dd148a53135531447fbe26162b89cf840695552f0
                                                                                  • Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
                                                                                  • Instruction Fuzzy Hash: E341DE22718B5886EF08CF2AE5142A973A5BB48FD4B69A036DE4EC7758DE7CD442D340
                                                                                  Function 00007FF601000D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: HeapProcess
                                                                                  • String ID:
                                                                                  • API String ID: 54951025-0
                                                                                  • Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                                  • Instruction ID: 6f6d8495a52ce9ba652da6bae11c8311f7c330550b2f68171fc42eb5e1b4d45a
                                                                                  • Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                                  • Instruction Fuzzy Hash: 9CB09220E17A02C2EB092F116C8225423A4BF88700FA4C039C18E81320DE2C25A54704
                                                                                  Function 00007FF600FE3964 Relevance: .9, Instructions: 931COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 93e830777a8553980f5fe243353a36f6d8d27a5fc8052bc9569f2c684e316ecf
                                                                                  • Instruction ID: e2de345b66c8179d1f29882763d872de79c5dd3f2cb53ab274d7123780e05e67
                                                                                  • Opcode Fuzzy Hash: 93e830777a8553980f5fe243353a36f6d8d27a5fc8052bc9569f2c684e316ecf
                                                                                  • Instruction Fuzzy Hash: A28216A7A0D6C196D715CF28D4082BC7BA1E755F88F29813ADE8E87389EE3CE545D310
                                                                                  Function 00007FF600FC76C0 Relevance: .9, Instructions: 893COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                                  • Instruction ID: 6a1e0187d56d70c48a535d4a257eb9641cb5a081bc8a79362616d40f59e49f50
                                                                                  • Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                                  • Instruction Fuzzy Hash: CE627D9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314
                                                                                  Function 00007FF600FE53F0 Relevance: .9, Instructions: 891COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 569adc29ececf777b1726fc3f5cd67d4b9927b4b604ee9515eb09b13eba64041
                                                                                  • Instruction ID: a1b035bfd4a6a774c069d178e1edf742f0f9cdaed33188cf28bfefc63b72eb5e
                                                                                  • Opcode Fuzzy Hash: 569adc29ececf777b1726fc3f5cd67d4b9927b4b604ee9515eb09b13eba64041
                                                                                  • Instruction Fuzzy Hash: 93820FB2A0DAC19AD724CF28D4146FC7BA1E755F48F288236CE4D87789EE3C9885D710
                                                                                  Function 00007FF600FDBB90 Relevance: .6, Instructions: 587COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
                                                                                  • Instruction ID: 86b7ec8704429e93a4c3d10bc260f2d6fdb5996169c725e51aed67ff383ad444
                                                                                  • Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
                                                                                  • Instruction Fuzzy Hash: 8D22E5B3B246508BD728CF15C89AE5E3766F798744B4B8229DF0ACB789DB38D505CB40
                                                                                  Function 00007FF600FE4B98 Relevance: .6, Instructions: 578COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
                                                                                  • Instruction ID: b92d9ad43643a20632713c0f81ea46253e06a72fd8292c16744b0032a03a1cb5
                                                                                  • Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
                                                                                  • Instruction Fuzzy Hash: 9232AF72A085D19BE718CF28D550ABC37A1F754B48F25813ADE4A87B88EF3CE855DB40
                                                                                  Function 00007FF600FC7288 Relevance: .3, Instructions: 294COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
                                                                                  • Instruction ID: 3cc08b15f6f2058cd28a0e06da5645cf310eae4d31a78f68a0db26d5dc20fb20
                                                                                  • Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
                                                                                  • Instruction Fuzzy Hash: 14C19DB7B281908FE350CF7AE400AAD3BB1F39878CB519125DF59A7B09D639E645CB40
                                                                                  Function 00007FF600FE2D58 Relevance: .3, Instructions: 268COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
                                                                                  • Instruction ID: 53f552667e317df96fe25cb7ed072eea92fc6e76c377a166ed855d70d0ca4f42
                                                                                  • Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
                                                                                  • Instruction Fuzzy Hash: DDA13373A0C1C2A6EB65CA28D4487FD2796EB90748F654535DE4E8778AFE3CE941E300
                                                                                  Function 00007FF600FDAF18 Relevance: .2, Instructions: 244COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
                                                                                  • Instruction ID: f1b669c5b98c683d9adae51301452a19088b78d2bd88c7c3f136bccefb15a1c1
                                                                                  • Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
                                                                                  • Instruction Fuzzy Hash: C0C10573A291E04DE302CBB5A4248FD3FF2E71E34DB4A4152EF9667B4EC6285201DB60
                                                                                  Function 00007FF600FCA310 Relevance: .2, Instructions: 230COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc
                                                                                  • String ID:
                                                                                  • API String ID: 190572456-0
                                                                                  • Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
                                                                                  • Instruction ID: 59fbb532f594ed2c04fac47a783375fc6a6493061933718d7e7371f2ca6cde83
                                                                                  • Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
                                                                                  • Instruction Fuzzy Hash: 01911D62B1C685A6EB11CF29D4516FD2721FF95788F540032EF4E87B59EE39E606C300
                                                                                  Function 00007FF600FDB534 Relevance: .2, Instructions: 181COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
                                                                                  • Instruction ID: 08c2a75ec3cce77aae08ce147429cb1ba5710fa470662bf46dc210e3b212c26f
                                                                                  • Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
                                                                                  • Instruction Fuzzy Hash: 5F610123B181D5A9EB01CF7585004FD7BB2AB49784B5A8073CE9A9774ACF3CE506EB10
                                                                                  Function 00007FF600FE21D0 Relevance: .1, Instructions: 137COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
                                                                                  • Instruction ID: 81e46c2f9864c9f91191495ff08189ae9abcb3e8f08544f4b46065c8f3439035
                                                                                  • Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
                                                                                  • Instruction Fuzzy Hash: B6510E73A181916BE7688F28A404BBD3766FB80B48F654134DF4987788EE3DE941EB00
                                                                                  Function 00007FF600FE2AB0 Relevance: .1, Instructions: 112COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
                                                                                  • Instruction ID: c6d448996da8dba389cf750df7f38b97f9cd1f002b4599dbec621491daa204ef
                                                                                  • Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
                                                                                  • Instruction Fuzzy Hash: EA31E3B2A0C5815BE758CE1AD95127E7791F784740F148139DF4AC7B45EE3CE041DB00
                                                                                  Function 00007FF6010058E0 Relevance: .0, Instructions: 32COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
                                                                                  • Instruction ID: abf7436659d2ade255e930725288d5bfba6412fdcb7cd4cbeab3888330c6a00d
                                                                                  • Opcode Fuzzy Hash: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
                                                                                  • Instruction Fuzzy Hash: 83F03C717186658BDBA5CF2DA84262977D0F7483C4F548079D5CDC3B14DE3C94519F08
                                                                                  Function 00007FF600FF3354 Relevance: .0, Instructions: 2COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
                                                                                  • Instruction ID: 0e9c51f5c6dce7a28f49803a7ec10160f1158fbf8b6c999f93604e383ede7282
                                                                                  • Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
                                                                                  • Instruction Fuzzy Hash: 34A0016194CC42E0E6498B10A8600712324BB90300B608032E54EC21A8DF2CA501D204
                                                                                  Function 00007FF600FCD7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
                                                                                  • API String ID: 3668304517-727060406
                                                                                  • Opcode ID: 036f0b4177b3bd4acf8be137eac01bdc749329f6e627dd372102b0288b9b6631
                                                                                  • Instruction ID: da363b8bfb4255240ad745781dd3156ae54e1d6d9a397d2020da8432a9662c6d
                                                                                  • Opcode Fuzzy Hash: 036f0b4177b3bd4acf8be137eac01bdc749329f6e627dd372102b0288b9b6631
                                                                                  • Instruction Fuzzy Hash: 2C41E336A09F05A9EB019F60E4813ED33B9FB48798F604636DE8D83B69EE38D155C344
                                                                                  Function 00007FF600FF2A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                  • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                  • API String ID: 2565136772-3242537097
                                                                                  • Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                                  • Instruction ID: 39b6601306857e38e39ae70667574cd99fce1bffd0381f5c2576c76e9c4ca2b5
                                                                                  • Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                                  • Instruction Fuzzy Hash: 1A21E764E5DA0391EF969F51E85517423A8AF48B80FB48036DD8FC37A4EE3CA545D304
                                                                                  Function 00007FF600FD6A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
                                                                                  • String ID: DXGIDebug.dll$UNC$\\?\
                                                                                  • API String ID: 4097890229-4048004291
                                                                                  • Opcode ID: 56c6116d5534ddc5b4079fdeed8715d081fed04d0e9eb28ce3c332ce1ff1d7ed
                                                                                  • Instruction ID: 1844dfd51021b0c0ce0ab2f2b217ca75d20b16703bac92ba019a28fbcf1e4927
                                                                                  • Opcode Fuzzy Hash: 56c6116d5534ddc5b4079fdeed8715d081fed04d0e9eb28ce3c332ce1ff1d7ed
                                                                                  • Instruction Fuzzy Hash: C312AD22B0CB42A0EB10DB69D4441AD6372EB85B88F604236DE5D87BEDDF3CE549D344
                                                                                  Function 00007FF600FEA440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
                                                                                  • String ID: GETPASSWORD1$Software\WinRAR SFX
                                                                                  • API String ID: 431506467-1315819833
                                                                                  • Opcode ID: 100daac0e34165666268f43f408bc6971489d972bf40231fa28c726ba550acfe
                                                                                  • Instruction ID: df67387c519d23a8ee83acb6dd55ee7a56b3d6602c701a9de240f88d6006b232
                                                                                  • Opcode Fuzzy Hash: 100daac0e34165666268f43f408bc6971489d972bf40231fa28c726ba550acfe
                                                                                  • Instruction Fuzzy Hash: 31B1AB62F1DB8295FB00DB64D4442BC2362AF85398F604236DE5DA7BDDEE3CE445D204
                                                                                  Function 00007FF600FE6E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
                                                                                  • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                  • API String ID: 2868844859-1533471033
                                                                                  • Opcode ID: 31d7dc5894d1c9fa85229d9e77b41a308ef747ae09a8312bf4b27f03762016a6
                                                                                  • Instruction ID: 5486da73e30b6ea9fe3c7a167268feaa5f997ef363cf9f3a885d831ef2d7a445
                                                                                  • Opcode Fuzzy Hash: 31d7dc5894d1c9fa85229d9e77b41a308ef747ae09a8312bf4b27f03762016a6
                                                                                  • Instruction Fuzzy Hash: 03818C62B1CB86A5FB01EBA5D4402FD6371AF48788F604536CE1D9779AEE38E50AD304
                                                                                  Function 00007FF600FFE650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                  • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                  • API String ID: 3215553584-2617248754
                                                                                  • Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                                  • Instruction ID: c9f0bd9178a4f3e22c65b0617da5d34f1390eb6dea38c1b30926adcef33e7c33
                                                                                  • Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                                  • Instruction Fuzzy Hash: C241AE72A0AB4599F715CF25E8417AD33A8EB18398F214236EE9D87B98DE3CD125C344
                                                                                  Function 00007FF600FEF390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$MessageObjectSend$ClassDeleteLongName
                                                                                  • String ID: STATIC
                                                                                  • API String ID: 2845197485-1882779555
                                                                                  • Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                                  • Instruction ID: b00b410c22894e309e48836107e8d4838895d41e8c05c730aaf0af1e08107be6
                                                                                  • Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                                  • Instruction Fuzzy Hash: 6C317425B0C78296FB60DB12E5547BA6391BF89BD0F644430DD4E87B99EF3CD8468740
                                                                                  Function 00007FF600FEAE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemTextWindow
                                                                                  • String ID: LICENSEDLG
                                                                                  • API String ID: 2478532303-2177901306
                                                                                  • Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                                  • Instruction ID: 0a29863c05743b90dbf15ab5d8b5df70c8121804ce87226765cea7a0e95a2490
                                                                                  • Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                                  • Instruction Fuzzy Hash: F941B135B0CA9282FB549B12E81477923A1AF88F84F744435DD4F87B99DF3CE9469309
                                                                                  Function 00007FF600FDB9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$CurrentDirectoryProcessSystem
                                                                                  • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                  • API String ID: 2915667086-2207617598
                                                                                  • Opcode ID: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
                                                                                  • Instruction ID: cea1e034c34b2595d4425d3cb1d2f24c37b8aca58fecf8a3ed5f0e37f8d92671
                                                                                  • Opcode Fuzzy Hash: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
                                                                                  • Instruction Fuzzy Hash: 4E316824F0DB0290FB169F12A95527533A2BF59B90F264136CD8F833A9DF3CE941A308
                                                                                  Function 00007FF600FE87D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID: $
                                                                                  • API String ID: 3668304517-227171996
                                                                                  • Opcode ID: 7957b1f7c23d8b99e8b957fd2374c8a83d1170bc9397b993806739df2f8497c6
                                                                                  • Instruction ID: e1954ad749b992f68f47a4d55469ad3e58be06f854788afb9b679e8c6001b597
                                                                                  • Opcode Fuzzy Hash: 7957b1f7c23d8b99e8b957fd2374c8a83d1170bc9397b993806739df2f8497c6
                                                                                  • Instruction Fuzzy Hash: 9FF1DF62F1DB86A0EE10AB69D4441BC2362AB45BD8F605631CE6D937DDEF7CE182D340
                                                                                  Function 00007FF600FF57EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                                  • String ID: csm$csm$csm
                                                                                  • API String ID: 2940173790-393685449
                                                                                  • Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                                  • Instruction ID: c71dd4e532625c8271f4a1217f1b76db58bd881182c919e10764a58840905287
                                                                                  • Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                                  • Instruction Fuzzy Hash: 74E18D7294CB829AE7209B65D4802BD7BA8FF45B58F240235DF8D9779ACF38E485D700
                                                                                  Function 00007FF600FD4F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocClearStringVariant
                                                                                  • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                                  • API String ID: 1959693985-3505469590
                                                                                  • Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                                  • Instruction ID: 14dc9d28fb434b29dc29e9dac34a760e873db62593d09c700f3b919b783d7495
                                                                                  • Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                                  • Instruction Fuzzy Hash: 87711B76A18A0595EB20CF25E8806AD77B5FB88B98F645137EE4E83B68CF3DD544C700
                                                                                  Function 00007FF600FF72EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF600FF74F3,?,?,?,00007FF600FF525E,?,?,?,00007FF600FF5219), ref: 00007FF600FF7371
                                                                                  • GetLastError.KERNEL32(?,?,00000000,00007FF600FF74F3,?,?,?,00007FF600FF525E,?,?,?,00007FF600FF5219), ref: 00007FF600FF737F
                                                                                  • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF600FF74F3,?,?,?,00007FF600FF525E,?,?,?,00007FF600FF5219), ref: 00007FF600FF73A9
                                                                                  • FreeLibrary.KERNEL32(?,?,00000000,00007FF600FF74F3,?,?,?,00007FF600FF525E,?,?,?,00007FF600FF5219), ref: 00007FF600FF73EF
                                                                                  • GetProcAddress.KERNEL32(?,?,00000000,00007FF600FF74F3,?,?,?,00007FF600FF525E,?,?,?,00007FF600FF5219), ref: 00007FF600FF73FB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                  • String ID: api-ms-
                                                                                  • API String ID: 2559590344-2084034818
                                                                                  • Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                                  • Instruction ID: 840f2a9f1902b6dcbfa6f2c004993251438e3308614eb06b4ceac8a95c0ef28f
                                                                                  • Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                                  • Instruction Fuzzy Hash: 4A31C321A5EB42E1EF12EB16A8006756398FF08BA4F2A4935DD5D8B398DF3CE441E710
                                                                                  Function 00007FF600FF1604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(?,?,?,00007FF600FF1573,?,?,?,00007FF600FF192A), ref: 00007FF600FF162B
                                                                                  • GetProcAddress.KERNEL32(?,?,?,00007FF600FF1573,?,?,?,00007FF600FF192A), ref: 00007FF600FF1648
                                                                                  • GetProcAddress.KERNEL32(?,?,?,00007FF600FF1573,?,?,?,00007FF600FF192A), ref: 00007FF600FF1664
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$HandleModule
                                                                                  • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                  • API String ID: 667068680-1718035505
                                                                                  • Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                                  • Instruction ID: 20972c99faae5d4a4f981806093a1081c17a6284b8deb3cd9552ed477cd1843e
                                                                                  • Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                                  • Instruction Fuzzy Hash: 28111B24E5EB02E1FF658F01A94027422997F08794FBC9436CD5EC7398EE3CA884E604
                                                                                  Function 00007FF600FDED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00007FF600FD51A4: GetVersionExW.KERNEL32 ref: 00007FF600FD51D5
                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF600FC5AB4), ref: 00007FF600FDED8C
                                                                                  • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF600FC5AB4), ref: 00007FF600FDED98
                                                                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF600FC5AB4), ref: 00007FF600FDEDA8
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF600FC5AB4), ref: 00007FF600FDEDB6
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF600FC5AB4), ref: 00007FF600FDEDC4
                                                                                  • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF600FC5AB4), ref: 00007FF600FDEE05
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Time$File$System$Local$SpecificVersion
                                                                                  • String ID:
                                                                                  • API String ID: 2092733347-0
                                                                                  • Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                                  • Instruction ID: 0ac72a922d000cec713124989e096cc05328dd76c127b843e630dc1f0eeb0a74
                                                                                  • Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                                  • Instruction Fuzzy Hash: 94516BB2F146519AEB14CFA9D4441AC77B2FB48B88B60803ADE4E97B58DF38E556C700
                                                                                  Function 00007FF600FDF010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Time$File$System$Local$SpecificVersion
                                                                                  • String ID:
                                                                                  • API String ID: 2092733347-0
                                                                                  • Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                                  • Instruction ID: 1f72a2bb3fe56e814a07f13e92d3fbbc859b6a69c74f6b54c5b6226b2b263978
                                                                                  • Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                                  • Instruction Fuzzy Hash: CC312662F14A519AEB00CFB5E8801AC3771FB18758B64503AEE4EA7A58EF38D895C704
                                                                                  Function 00007FF600FD7918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID: .rar$exe$rar$sfx
                                                                                  • API String ID: 3668304517-630704357
                                                                                  • Opcode ID: 2fc35cbdd70ebaba8229e08f8487c40f3259a53efddd90ef8447a9b59f22dcea
                                                                                  • Instruction ID: 5d8a3795b73e1b74a3214e7fe3020a8c9ad59be84c58e48debbba02483de6593
                                                                                  • Opcode Fuzzy Hash: 2fc35cbdd70ebaba8229e08f8487c40f3259a53efddd90ef8447a9b59f22dcea
                                                                                  • Instruction Fuzzy Hash: 83A18D22A1CB0660EB04AF25D4452BC2362BF41B98F605236DE5E8B7AEEF3CE545D340
                                                                                  Function 00007FF600FF5CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: abort$CallEncodePointerTranslator
                                                                                  • String ID: MOC$RCC
                                                                                  • API String ID: 2889003569-2084237596
                                                                                  • Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                                  • Instruction ID: ad63315f9fdce73075846133519097fc33ed5dc58e54d54354d41248eb690098
                                                                                  • Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                                  • Instruction Fuzzy Hash: C1919073A08B91AAE710CB65E4402AD7BA4FB44B88F244139EF8D97B59DF38D195DB00
                                                                                  Function 00007FF600FF4F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                  • String ID: csm$f
                                                                                  • API String ID: 2395640692-629598281
                                                                                  • Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                                  • Instruction ID: 1981610e42d09f9afabae5849b54afde4493190b91482ad445894ae370744a99
                                                                                  • Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                                  • Instruction Fuzzy Hash: 73518C32A5DA02A6EB14DF15E844A3937A9FF44F88F618134EE5A8778CDF78E841D740
                                                                                  Function 00007FF600FCCEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
                                                                                  • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                  • API String ID: 2102711378-639343689
                                                                                  • Opcode ID: 6c1d5a5d5395298d9d74f6f4ee4569930d238c95dd33962f37e3fdaa32d53d1a
                                                                                  • Instruction ID: 5251f7cc3b5be4603e597bd4040cea896505a46993199bc6daef20c5b132f52c
                                                                                  • Opcode Fuzzy Hash: 6c1d5a5d5395298d9d74f6f4ee4569930d238c95dd33962f37e3fdaa32d53d1a
                                                                                  • Instruction Fuzzy Hash: C851E162F0C742A5FB10EB64D9426BD23A1AF847A4F200535DE5E9379EDF3CA886D200
                                                                                  Function 00007FF600FE7B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Show$Rect
                                                                                  • String ID: RarHtmlClassName
                                                                                  • API String ID: 2396740005-1658105358
                                                                                  • Opcode ID: 95333b9ad2bfddc98b100d65ee3ae7a1141886215ecc40d0d40dcbf9cb340d19
                                                                                  • Instruction ID: 0fe29a172181e35d2bfec199b86baa1059c0a81fa1206aa9e38b293f7112c53c
                                                                                  • Opcode Fuzzy Hash: 95333b9ad2bfddc98b100d65ee3ae7a1141886215ecc40d0d40dcbf9cb340d19
                                                                                  • Instruction Fuzzy Hash: A0517222A0DB829AEB64AB25E44437AB3A0FF85780F244435DE8F87B59DF3CE4458700
                                                                                  Function 00007FF600FEFED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                  • API String ID: 0-56093855
                                                                                  • Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                                  • Instruction ID: d4fa762af8a6d0b2ec491b99b3d29c5716eb3f16daf52427862d94143510c0ea
                                                                                  • Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                                  • Instruction Fuzzy Hash: 3921E922A0CB8791FB118F15E84417477A0AB4AB88F744136D98EC7368EE3CE9899348
                                                                                  Function 00007FF600FFBFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                  • API String ID: 4061214504-1276376045
                                                                                  • Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                                  • Instruction ID: 4b3a03c85c21983b6c98b45d022cfaf711d3a071ca583be033db73bc73c30449
                                                                                  • Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                                  • Instruction Fuzzy Hash: D2F04921A19A4291EF568F11E98027963A4FF88B90F69503AE98FC7769DE3CE485C704
                                                                                  Function 00007FF6010045C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                  • String ID:
                                                                                  • API String ID: 3215553584-0
                                                                                  • Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                                  • Instruction ID: 6c784ce944b4a98f8f3776753bd21e8eda7825184e7ac54354dee73474fe606c
                                                                                  • Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                                  • Instruction Fuzzy Hash: 8F81ED22F1860289FB229F6588406BD26A5BF55B88F608136DF8FD3B95DF3CA445C70C
                                                                                  Function 00007FF600FD3AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 2398171386-0
                                                                                  • Opcode ID: 14fdea18fdcf977c61dce6ecaccc8aa35300d093acc7d7c713630260d7cb0aba
                                                                                  • Instruction ID: a9dd075c383b1076779c7c23477bae74c8e301c73e53c990661d46484ba0ac88
                                                                                  • Opcode Fuzzy Hash: 14fdea18fdcf977c61dce6ecaccc8aa35300d093acc7d7c713630260d7cb0aba
                                                                                  • Instruction Fuzzy Hash: 1A51DF22F18A02A9FB50DF65E8403BD23B2AB847A8F244636DE5D977D8DE389205D301
                                                                                  Function 00007FF601003F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                  • String ID:
                                                                                  • API String ID: 3659116390-0
                                                                                  • Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                                  • Instruction ID: 70082f6473a4984671a3d2a874f75ea107df3dfadbb4ba807e0dfcccaebe27c5
                                                                                  • Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                                  • Instruction Fuzzy Hash: 7A519E32B18A5189E711CF65D4443AC3BB5BB54B98F248136DF8A97BA8DF38D145C708
                                                                                  Function 00007FF600FF1E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide$AllocString
                                                                                  • String ID:
                                                                                  • API String ID: 262959230-0
                                                                                  • Opcode ID: 55eea0222137253c860f73f771396d48486a61dcff80d6f5aaddb46a2ec13fc8
                                                                                  • Instruction ID: 5fb5464594f1cd614920a189f2b87e207fdfa9b6d7c10ea06474b1947c7f4dc5
                                                                                  • Opcode Fuzzy Hash: 55eea0222137253c860f73f771396d48486a61dcff80d6f5aaddb46a2ec13fc8
                                                                                  • Instruction Fuzzy Hash: 1141F331A4DA46DAEB549F2194403B82298FF08BA4F244635EE6EC77D9DF3CE041D300
                                                                                  Function 00007FF600FFF414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc
                                                                                  • String ID:
                                                                                  • API String ID: 190572456-0
                                                                                  • Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                                  • Instruction ID: 2c15b0343d04eec2e0b0d25b1f22aecc52cc7c408450f55f26261213d094011e
                                                                                  • Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                                  • Instruction Fuzzy Hash: CE41B062B0DA42A1FB168F12A8006756299BF14BE0F2D4536DE5ECB79CEF3CE448D344
                                                                                  Function 00007FF6010056D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _set_statfp
                                                                                  • String ID:
                                                                                  • API String ID: 1156100317-0
                                                                                  • Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                  • Instruction ID: 8af148f6362747b2a84f5c5738b472bdb1e40f81e868b65284c3fb73eacf89f5
                                                                                  • Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                  • Instruction Fuzzy Hash: B611C136E1CA4781F76A0924FD4637905417F483A0F788230EAFF8A6D6DE2CA8416A0D
                                                                                  Function 00007FF600FEFE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$DispatchObjectPeekSingleTranslateWait
                                                                                  • String ID:
                                                                                  • API String ID: 3621893840-0
                                                                                  • Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                                  • Instruction ID: 3664e0130c8c0752f603d053165da36ce0207365bd2217f04c242aa1450a7ce9
                                                                                  • Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                                  • Instruction Fuzzy Hash: CAF01231F3854692F7509B20E855B762251FFE4B05FB45030E98FC29A4DE3CE549D704
                                                                                  Function 00007FF600FF625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: __except_validate_context_recordabort
                                                                                  • String ID: csm$csm
                                                                                  • API String ID: 746414643-3733052814
                                                                                  • Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                                  • Instruction ID: ec5d4d70a1bdb1b79772025493205dc450c51b9a76a74f88655ed7aea17ea661
                                                                                  • Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                                  • Instruction Fuzzy Hash: 8F718E72A4C6919ADB609F259050779BBA4FF05B89F248136EE4CC7B89CF2CE491E740
                                                                                  Function 00007FF600FF80F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                  • String ID: $*
                                                                                  • API String ID: 3215553584-3982473090
                                                                                  • Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                                  • Instruction ID: 79d790fd99d4772a40a9e962b0c4650a233fae45834c7410514a370dfb0225ee
                                                                                  • Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                                  • Instruction Fuzzy Hash: 3051357298C6429AE7658E28844537C3BA9EF05B99F341235CE4AC339DCF68E483E605
                                                                                  Function 00007FF601001758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide$StringType
                                                                                  • String ID: $%s
                                                                                  • API String ID: 3586891840-3791308623
                                                                                  • Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                                  • Instruction ID: 46f2f157cd086f40a0ae1e9b046c39fd862e6ff4a5c28b8efc3ab8b09f7f8450
                                                                                  • Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                                  • Instruction Fuzzy Hash: 49419532B18B819AEB618F25D8402B963A5FF44BA8F684235DE5E877C5DF3CE6418304
                                                                                  Function 00007FF600FF66A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFrameInfo__except_validate_context_recordabort
                                                                                  • String ID: csm
                                                                                  • API String ID: 2466640111-1018135373
                                                                                  • Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                                  • Instruction ID: a93342e3171349c1341b30e492dcb0a2e8287e91f6aaa6588cd9ecf78b495f1f
                                                                                  • Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                                  • Instruction Fuzzy Hash: 6E514D7265DB41A7DA20AB16E44027E77A8FF89B90F240634EF8D87B59CF38E451DB00
                                                                                  Function 00007FF601004360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                  • String ID: U
                                                                                  • API String ID: 2456169464-4171548499
                                                                                  • Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                                  • Instruction ID: 3abf411654886b2dcfea7ae7b4dbf91728c782b7db3cefb414cc38b4cb6f90a0
                                                                                  • Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                                  • Instruction Fuzzy Hash: 7441B222A18A8182EB61CF25E8443BA77A0FB88794F558131EF8EC7788DF7CD441C748
                                                                                  Function 00007FF600FE90B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ObjectRelease
                                                                                  • String ID:
                                                                                  • API String ID: 1429681911-3916222277
                                                                                  • Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                                  • Instruction ID: e752da18a024f730b13d0599346045cefe7bfa98593901846159ebc072992811
                                                                                  • Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                                  • Instruction Fuzzy Hash: 50314F3560874186EB14DF12F858A2AB760F789FD1F605435ED8B83B54CE3CD889CB04
                                                                                  Function 00007FF600FDE870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InitializeCriticalSection.KERNEL32(?,?,?,00007FF600FE317F,?,?,00001000,00007FF600FCE51D), ref: 00007FF600FDE8BB
                                                                                  • CreateSemaphoreW.KERNEL32(?,?,?,00007FF600FE317F,?,?,00001000,00007FF600FCE51D), ref: 00007FF600FDE8CB
                                                                                  • CreateEventW.KERNEL32(?,?,?,00007FF600FE317F,?,?,00001000,00007FF600FCE51D), ref: 00007FF600FDE8E4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                  • String ID: Thread pool initialization failed.
                                                                                  • API String ID: 3340455307-2182114853
                                                                                  • Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                                  • Instruction ID: 4ebe3d569dd8182705442487115345c19329f4f44540d355ee566316d1a0d3b5
                                                                                  • Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                                  • Instruction Fuzzy Hash: 3521D232E1960186F7109F24E4557AD32A2FF88B0CF288035CE4E8B399CF7E9845D784
                                                                                  Function 00007FF600FE85E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: CapsDeviceRelease
                                                                                  • String ID:
                                                                                  • API String ID: 127614599-3916222277
                                                                                  • Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                                  • Instruction ID: 9c02ad113020ec9a4a0281cc1e7c07715f9f06046ba60d5a3b213ab2dced8faf
                                                                                  • Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                                  • Instruction Fuzzy Hash: 19E0C220B0864186FB0857B6F58903A2261AB4CBD0F298435EA5F87794CE3CC8C94308
                                                                                  Function 00007FF600FCD1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$FileTime
                                                                                  • String ID:
                                                                                  • API String ID: 1137671866-0
                                                                                  • Opcode ID: 6a66750d7d38e285348c6a4672a5517d432b12a502a6a2b91e6f62eece89d76d
                                                                                  • Instruction ID: 9fc16c84f9c6e12c4628b86e04d0e2cb55c81f678a032f8b95b212272479718f
                                                                                  • Opcode Fuzzy Hash: 6a66750d7d38e285348c6a4672a5517d432b12a502a6a2b91e6f62eece89d76d
                                                                                  • Instruction Fuzzy Hash: 44A1C162A1CA82A1EA10DB64E9425FD6361FF81784F605932EE9D83BEDDF3CE544D300
                                                                                  Function 00007FF600FE0548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast
                                                                                  • String ID:
                                                                                  • API String ID: 1452528299-0
                                                                                  • Opcode ID: 47ce399c8b5a93a9ee7e183f504d796df39c479f65169f8ae0637efe197c3b7b
                                                                                  • Instruction ID: 2026dc1a214e40f079704f4a26b6fe2ae886606a7f55bdf924ae3465a3926324
                                                                                  • Opcode Fuzzy Hash: 47ce399c8b5a93a9ee7e183f504d796df39c479f65169f8ae0637efe197c3b7b
                                                                                  • Instruction Fuzzy Hash: CD51AE72B58B42A5FB00AB74D4452FC2321EB85B98F604232DE5D97B9AEE6CE241D344
                                                                                  Function 00007FF600FE9D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                                                                  • String ID:
                                                                                  • API String ID: 1077098981-0
                                                                                  • Opcode ID: 91dec681af915968dd102d853b3eeeabd4842e789cbe2ad92d88e952f467e522
                                                                                  • Instruction ID: f4d7817a5ef5c8d4a964f1524902ca94e1be4f3e6159e0dca839d4d4968bda2e
                                                                                  • Opcode Fuzzy Hash: 91dec681af915968dd102d853b3eeeabd4842e789cbe2ad92d88e952f467e522
                                                                                  • Instruction Fuzzy Hash: 0B517D32A1CB8296EB40CF21E4447AE73A4FB84B84F605036EA8E97B58DF7CD445CB50
                                                                                  Function 00007FF600FFDB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                  • String ID:
                                                                                  • API String ID: 4141327611-0
                                                                                  • Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                                  • Instruction ID: 0705d09163b2dc65969f46b6dd9bda833309fd4354ff3bdfcb5bafe28fdd887e
                                                                                  • Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                                  • Instruction Fuzzy Hash: AA418E32A4C68266FB659E109044379B6AAEF80B94F358131DF4DC7B9DDF7CD841E601
                                                                                  Function 00007FF600FD3980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileMove_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3823481717-0
                                                                                  • Opcode ID: 47dbf0decc8272d9a7ae459b130201949f9107b8ec80fb87a20ec63cf3da1f82
                                                                                  • Instruction ID: 6f8bc11c618e4b840b0e1be07e1e8b2e9eadf28f3bf93f7a7c50e9c6facf57a8
                                                                                  • Opcode Fuzzy Hash: 47dbf0decc8272d9a7ae459b130201949f9107b8ec80fb87a20ec63cf3da1f82
                                                                                  • Instruction Fuzzy Hash: E4419E62F18B5294FB00CF75D8851AC2376BF44BA8B205232EE9EA7B99DF7CD145D200
                                                                                  Function 00007FF601000B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF600FFC45B), ref: 00007FF601000B91
                                                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF600FFC45B), ref: 00007FF601000BF3
                                                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF600FFC45B), ref: 00007FF601000C2D
                                                                                  • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF600FFC45B), ref: 00007FF601000C57
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                  • String ID:
                                                                                  • API String ID: 1557788787-0
                                                                                  • Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                                  • Instruction ID: 21e8564ffa9c52170b54b9fc233066812932bb9581415eedf76f67be150afcc2
                                                                                  • Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                                  • Instruction Fuzzy Hash: 06217331F19B5581E7259F126440529B6A5FF94BD0F688135EECFA3BA8DF3CE4528308
                                                                                  Function 00007FF600FFD440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$abort
                                                                                  • String ID:
                                                                                  • API String ID: 1447195878-0
                                                                                  • Opcode ID: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
                                                                                  • Instruction ID: 8a0a9fcaf19178defe716c5ed62d22b8a103b5224abe9b2230e9cc27aa9676b3
                                                                                  • Opcode Fuzzy Hash: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
                                                                                  • Instruction Fuzzy Hash: 8D014820F4D60262FB59AB71A65923822AA6F44790F344439ED5FC7BDEED3CF844E210
                                                                                  Function 00007FF600FE8590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: CapsDevice$Release
                                                                                  • String ID:
                                                                                  • API String ID: 1035833867-0
                                                                                  • Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                                  • Instruction ID: 48be6a89f131cde98aab5574ec6460ef76a4aaa42f6ef36e971cb867e19c0b21
                                                                                  • Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                                  • Instruction Fuzzy Hash: 43E01260E4970682FF085B71E8991363190AF59741F384439DC5FC7394DD3CA889C718
                                                                                  Function 00007FF600FCE34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID: DXGIDebug.dll
                                                                                  • API String ID: 3668304517-540382549
                                                                                  • Opcode ID: 0a6e8a5cf670b8866c9f9b50e0138bc92bc45c918b99fe1d1ba172bd3edf1b53
                                                                                  • Instruction ID: 854d989dae02e57b1eaa14bc16b5d612dda2e422cb7aa107f53175264972f380
                                                                                  • Opcode Fuzzy Hash: 0a6e8a5cf670b8866c9f9b50e0138bc92bc45c918b99fe1d1ba172bd3edf1b53
                                                                                  • Instruction Fuzzy Hash: 6371CD72A18B81A2EB14CB25E5403ADB3A9FB54794F244636DFAC43B99DF78E061D300
                                                                                  Function 00007FF600FFE1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                  • String ID: e+000$gfff
                                                                                  • API String ID: 3215553584-3030954782
                                                                                  • Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                                  • Instruction ID: 9b3e02487de6ea5acc4a705d7bbf949225d67321f66337fdab6a568838703227
                                                                                  • Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                                  • Instruction Fuzzy Hash: 45511462B5C7C266E7258F35994037D6B99AF81B90F188231CA9CC7BE9DF2CD444D700
                                                                                  Function 00007FF600FD9408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$swprintf
                                                                                  • String ID: SIZE
                                                                                  • API String ID: 449872665-3243624926
                                                                                  • Opcode ID: 1ee6a6b9fbbd6c3126f8bc5ffec1b6aa008f2877db1f13591811bbd6ed408201
                                                                                  • Instruction ID: bdb04f8fd5fe28ffdbf017a385569e76637737b6f63d9701f6f5a3e2e271a3ef
                                                                                  • Opcode Fuzzy Hash: 1ee6a6b9fbbd6c3126f8bc5ffec1b6aa008f2877db1f13591811bbd6ed408201
                                                                                  • Instruction Fuzzy Hash: E041D362A1C782A5EA11DB64E4413BD7351EF85790F644232EE9D837DEEEBCE540D700
                                                                                  Function 00007FF600FFC2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileModuleName_invalid_parameter_noinfo
                                                                                  • String ID: C:\Users\user\Desktop\0442.pdf.exe
                                                                                  • API String ID: 3307058713-1489544898
                                                                                  • Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                                  • Instruction ID: f59507809f7837896e262ebef9fb34fe4d9a55a4ae1ed84d8e908875ece224b0
                                                                                  • Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                                  • Instruction Fuzzy Hash: C0419F32A4CA6696EB15DF25A5400BC77A8FF84BD4F648036ED8E87B49DE3DE441D340
                                                                                  Function 00007FF600FE9B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemText$DialogWindow
                                                                                  • String ID: ASKNEXTVOL
                                                                                  • API String ID: 445417207-3402441367
                                                                                  • Opcode ID: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
                                                                                  • Instruction ID: e3cd6dd14f108f72bcc7fd5c49719fc0292a8de6179382245be6331d1afb9fec
                                                                                  • Opcode Fuzzy Hash: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
                                                                                  • Instruction Fuzzy Hash: DE419122A0C682A1FB10AB16E5512BA33A1BF95BC4F340035DE4E8779DEE7CE941D350
                                                                                  Function 00007FF600FD9638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide_snwprintf
                                                                                  • String ID: $%s$@%s
                                                                                  • API String ID: 2650857296-834177443
                                                                                  • Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                                  • Instruction ID: b6112a1e59e3c84ed411d1e9d28721715a5e1a07827c57278802fb453b437c9a
                                                                                  • Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                                  • Instruction Fuzzy Hash: 4E31CF72B1CA86A6EB508FA6E4406E923B1FB44788F601037EE4D87799EE7CE505D740
                                                                                  Function 00007FF600FFEB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileHandleType
                                                                                  • String ID: @
                                                                                  • API String ID: 3000768030-2766056989
                                                                                  • Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                                  • Instruction ID: b0546776f1a9abd580eccc392eba4907397065a45a429acb53c3e7fd4e650401
                                                                                  • Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                                  • Instruction Fuzzy Hash: DB216422A4CA8251EB748B2594901392659EF85774F381336DBAF877FCDE3DD881E341
                                                                                  Function 00007FF600FF4078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF600FF1D3E), ref: 00007FF600FF40BC
                                                                                  • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF600FF1D3E), ref: 00007FF600FF4102
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFileHeaderRaise
                                                                                  • String ID: csm
                                                                                  • API String ID: 2573137834-1018135373
                                                                                  • Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                                  • Instruction ID: f952311a851c13049ddf4ee1bd18a2e76db89a462cac040c1cd59593731a91ff
                                                                                  • Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                                  • Instruction Fuzzy Hash: FB114F32A08B4182EB218F15E44026A77E5FB88B94F288231DFCD47B68DF3DD555CB00
                                                                                  Function 00007FF600FDEA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF600FDE95F,?,?,?,00007FF600FD463A,?,?,?), ref: 00007FF600FDEA63
                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF600FDE95F,?,?,?,00007FF600FD463A,?,?,?), ref: 00007FF600FDEA6E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLastObjectSingleWait
                                                                                  • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                  • API String ID: 1211598281-2248577382
                                                                                  • Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                                  • Instruction ID: ef1feab09cc1b405a03049f1837633b9abe24079d63451ee5d54a60e314cd9c7
                                                                                  • Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                                  • Instruction Fuzzy Hash: 84E04F25E1990291F700AB20DC435B822117F65774FB04332E87FC22F99F2CA9859704
                                                                                  Function 00007FF600FDA43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1700660620.00007FF600FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600FC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1700621429.00007FF600FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700739213.00007FF601008000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF60101B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700773722.00007FF601024000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1700832443.00007FF60102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff600fc0000_0442.jbxd
                                                                                  Similarity
                                                                                  • API ID: FindHandleModuleResource
                                                                                  • String ID: RTL
                                                                                  • API String ID: 3537982541-834975271
                                                                                  • Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                                  • Instruction ID: db0bbdc86d2b0f332fc59fab069c60f0d0208288643af697af96bcdbdb76c26d
                                                                                  • Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                                  • Instruction Fuzzy Hash: E3D05E91F0960282FF1A9F71A4493B412506F1DB41F68903ACD8F86395EE6CD098C759