Edit tour

Windows Analysis Report
e-SPT Masa PPh.exe

Overview

General Information

Sample name:	e-SPT Masa PPh.exe
Analysis ID:	1585779
MD5:	097c653ddf86f75924a7192fb612b889
SHA1:	23fc34bf9649a820a98148697e99ae3c4919ed76
SHA256:	bbd7bf7a8d98d3cf5fb8c3f089ca61b57021fbed911465d5caf405d69a531439
Tags:	exeuser-MAM
Infos:

Detection

BlackMoon

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected BlackMoon Ransomware

Connects to many ports of the same IP (likely port scanning)

Contains functionality to detect sleep reduction / modifications

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Abnormal high CPU Usage

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a global mouse hook

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

e-SPT Masa PPh.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\e-SPT Masa PPh.exe" MD5: 097C653DDF86F75924A7192FB612B889)

e-SPT Masa PPh.exe (PID: 7672 cmdline: "C:\Users\user\Desktop\e-SPT Masa PPh.exe" /i "C:\Program Files (x86)\WindowsInstallerIC\7AF5081\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\IkCWSTWLLRQX" SECONDSEQUENCE="1" CLIENTPROCESSID="7304" AI_MORE_CMD_LINE=1 MD5: 097C653DDF86F75924A7192FB612B889)

msiexec.exe (PID: 7420 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7464 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding E68703343D1710A5BD8674B125AC70C2 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7852 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 129C99B55643455FEF40AE203A6AF1CF MD5: 9D09DC1EDA745A5F87553048E57620CF)

fhjyy.exe (PID: 8148 cmdline: "C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe" MD5: BE4ED0D3AA0B2573927A046620106B13)

e8a0d5af432b7e64DBD.exe (PID: 8184 cmdline: "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\LJBPHRBSRLCI.FNG" -o"C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32" -pIWLHTVJXHINUWUFBWIU -aos -y MD5: FAE7D0A530279838C8A5731B086A081B)

conhost.exe (PID: 916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

e8a0d5af432b7e64DBD.exe (PID: 1620 cmdline: "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\KKVIOQVTEUTA.OKO" -o"C:\Program Files (x86)\IkCWSTWLLRQX" -pRFOLHRLVLKWUMQMLJJA -aos -y MD5: FAE7D0A530279838C8A5731B086A081B)

conhost.exe (PID: 2044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

e8a0d5af432b7e64DBD.exe (PID: 3652 cmdline: "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\FNCUNPTNLBMW.DNA" -o"C:\Users\user\AppData\Roaming" -pAEXIKRSDXTBGHJSHHPK -aos -y MD5: FAE7D0A530279838C8A5731B086A081B)

conhost.exe (PID: 1052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Bor32-update-flase.exe (PID: 7192 cmdline: "C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe" MD5: 938C33C54819D6CE8D731B68D9C37E38)

Bor32-update-flase.exe (PID: 7504 cmdline: "C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe" MD5: 938C33C54819D6CE8D731B68D9C37E38)

Haloonoroff.exe (PID: 7164 cmdline: "C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe" MD5: 0D318144BD23BA1A72CC06FE19CB3F0C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
KrBanker, BlackMoon	ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.	No Attribution	http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/ https://fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/ https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/	https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll	Mimikatz_Gen_Strings	Detects Mimikatz by using some special strings	Florian Roth	0x6b86c:$s5: Ask debug privilege
C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x6bf04:$x6: Lists LM & NTLM credentials
C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll	Mimikatz_Gen_Strings	Detects Mimikatz by using some special strings	Florian Roth	0x6b86c:$s5: Ask debug privilege
C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x6bf04:$x6: Lists LM & NTLM credentials
C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\rtl120.bpl	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000000F.00000000.2042743585.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000009.00000003.1984404151.0000000002C66000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: e8a0d5af432b7e64DBD.exe PID: 8184	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: Bor32-update-flase.exe PID: 7504	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.Bor32-update-flase.exe.2f3950e.5.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
18.2.Bor32-update-flase.exe.2f3950e.5.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x45ba:$s1: blackmoon 0x45fa:$s2: BlackMoon RunTime Error:
15.0.Bor32-update-flase.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
18.2.Bor32-update-flase.exe.2f3950e.5.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
18.2.Bor32-update-flase.exe.2f3950e.5.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x45ba:$s1: blackmoon 0x45fa:$s2: BlackMoon RunTime Error:

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T08:58:44.684902+0100	2052875	1	A Network Trojan was detected	192.168.2.4	52312	154.82.113.139	63701	TCP
2025-01-08T08:59:44.763721+0100	2052875	1	A Network Trojan was detected	192.168.2.4	52312	154.82.113.139	63701	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: e-SPT Masa PPh.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe

File opened: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.VC90.CRT\msvcr90.dll

Source: e-SPT Masa PPh.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wininet.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.1682984141.0000000009B67000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1758799240.00000000079DC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\oDayProtect.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A09000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\ddvsm\out\Intermediate\vscommon\perfwatson2.csproj_FB008427_ret\objr\amd64\PerfWatson2.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScan.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp100.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000043E4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-21885936\cayman_zlib\build\release\win32_vc140\zlib\build\zlib1.pdb$$ source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLayoutMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQPCHwNetwork.pdbRR#GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmauthd-log\win32\release\vmauthd.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622859\src\x\x86_ntvbld\objfre_win7_x86\i386\ntvbld.pdb` source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQFileFlt.pdb.. GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-19436861\cayman_gettext\gettext\MSVC14\libintl_dll\Release\libintl_dll.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\gitproj\7z2201-src\CPP\7zip\UI\Console\Release\Console.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000002.2008215461.0000000000CF8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000000.1968333923.0000000000CF8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000002.2025179001.0000000000CF8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000000.2008735464.0000000000CF8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000D.00000002.2026989357.0000000000CF8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000D.00000000.2025700023.0000000000CF8000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLayoutMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb!! source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\MemDefrag.pdbII#GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\obj\VS\Microsoft.VisualStudio.Web.Host\Release\Microsoft.VisualStudio.Web.Host.pdbf source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\HTTPRequest.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScanX64.pdb'' GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLib.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb% source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088367903.0000000000738000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036F0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMEventBus.pdb source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScan.pdbLL%GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mfc90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004088000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\etcp5.0\Release\etcp.pdb source: Bor32-update-flase.exe, 00000012.00000002.2088367903.0000000000730000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: libEGL.dll.pdbs source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp120.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.000000000450B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003B42000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr80.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003B42000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, Bor32-update-flase.exe, 00000012.00000002.2098796900.000000006B181000.00000020.00000001.01000000.00000016.sdmp
Source:	Binary string: d:\build\ob\bora-19436861\cayman_gettext\gettext\MSVC14\libintl_dll\Release\libintl_dll.pdb11 source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\8168\vc98\dev\bin\vcspawn.pdbMZ source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr120.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMDns.pdbDD!GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar32\Release\RAR.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMDns.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp110.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000043E4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwCommonUI.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wininet.pdbUGP source: e-SPT Masa PPh.exe, 00000000.00000003.1682984141.0000000009B67000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1758799240.00000000079DC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622869\src\x\x64_ntvbld\objfre_win7_amd64\amd64\ntvbld64.pdbL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\oDayProtect.pdbAA#GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622859\src\x\x86_ntvbld\objfre_win7_x86\i386\ntvbld.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp80.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.000000000450B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: h:\ch1\src\sandbox\wow_helper\wow_helper.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\8168\vc98\dev\bin\vcspawn.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMEventBus.pdbZZ source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr110.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\419058\out\Release\360AppCore.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQPCHwNetwork.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\fhbemb\src\bin\Release\fhjyy.pdb source: fhjyy.exe, 00000008.00000002.2027520965.0000000000D6E000.00000002.00000001.01000000.0000000B.sdmp, fhjyy.exe, 00000008.00000000.1966251587.0000000000D6E000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\test\intelligentDemo\PackageMgr\Release\PackageMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScanX64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\kwlogsvr.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMAVProxy.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLib.pdbp source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.000000000450B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003B42000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: h:\ch1\src\sandbox\wow_helper\wow_helper.pdbp source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-19188697\cayman_glib\glib\src\build\win32\vs14\Release\Win32\bin\gmodule-2.0.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\fhbemb\src\bin\Release_NL\fhbmini.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, Haloonoroff.exe, 00000013.00000000.2082698409.0000000000D2E000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\368203\out\Release\HipsLog.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: e-SPT Masa PPh.exe
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb.. source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.000000000450B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003B42000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMRtpDLL.pdbWW'GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQFileFlt.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.000000000450B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003B42000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: libEGL.dll.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\WallPaper_feihuo\windows\FFWallpaper\bin\Release\bfcipc.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \WallPaper\windows\FFWallpaper\bin\Release\FFWallpaper.pdb source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622869\src\x\x64_ntvbld\objfre_win7_amd64\amd64\ntvbld64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb-- source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009D67000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1668437439.0000000008480000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1752731123.000000000564B000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757532027.0000000008516000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-21885936\cayman_zlib\build\release\win32_vc140\zlib\build\zlib1.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\obj\VS\Microsoft.VisualStudio.Web.Host\Release\Microsoft.VisualStudio.Web.Host.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMRtpDLL.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\MemDefrag.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\basichttp\win32\release\basichttp.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallerAnalytics.pdb source: e-SPT Masa PPh.exe, 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009C4B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\test\intelligentDemo\PackageMgr\Release\PackageMgr.pdb//' source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMAVProxy.pdb__(GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: z:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: x:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: v:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: t:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: r:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: p:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: n:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: l:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: j:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: h:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: f:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: b:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: y:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: w:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: u:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: s:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: q:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: o:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: m:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: k:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: i:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: g:
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: e:
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File opened: a:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File opened: [:

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00BEE4E0 FindFirstFileW,GetLastError,FindClose,	0_2_00BEE4E0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AD4AD0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,	0_2_00AD4AD0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C19F30 FindFirstFileW,FindClose,CloseHandle,CloseHandle,	0_2_00C19F30
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C140C0 FindFirstFileW,FindClose,	0_2_00C140C0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00BD0370 FindFirstFileW,FindNextFileW,FindClose,	0_2_00BD0370
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C24620 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00C24620
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C24AA0 FindFirstFileW,FindClose,	0_2_00C24AA0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00BFCDF0 FindFirstFileW,FindClose,FindClose,	0_2_00BFCDF0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00BEDBB0 FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00BEDBB0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C604E20 FindFirstFileW,FindClose,GetLastError,FindClose,	0_2_6C604E20
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C5FF260 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,	0_2_6C5FF260
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00BEE4E0 FindFirstFileW,GetLastError,FindClose,	3_2_00BEE4E0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00BEDA30 FindFirstFileW,FindFirstFileW,FindClose,FindClose,	3_2_00BEDA30
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C78BA4 __EH_prolog3_GS,FindFirstFileA,FindFirstFileW,FindFirstFileW,	9_2_00C78BA4
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CDD9C1 FindFirstFileExW,	9_2_00CDD9C1
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CDD996 FindFirstFileExA,	9_2_00CDD996
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_0085657C GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	18_2_0085657C
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00858E6C FindFirstFileA,FindClose,	18_2_00858E6C
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00858E6A FindFirstFileA,FindClose,	18_2_00858E6A
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A52298 FindFirstFileA,SetFileAttributesA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,	18_2_00A52298
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_0098A698 FindFirstFileA,FindClose,	18_2_0098A698
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_0098A696 FindFirstFileA,FindClose,	18_2_0098A696
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_0098A7A8 FindFirstFileA,FindClose,	18_2_0098A7A8
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_009D27D0 FindFirstFileA,FindClose,FileTimeToDosDateTime,	18_2_009D27D0
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_0098AAB4 FindFirstFileA,GetLastError,	18_2_0098AAB4
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00986B80 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	18_2_00986B80
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A4EDA0 FindFirstFileA,SetFileAttributesA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,	18_2_00A4EDA0

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00C23270 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

0_2_00C23270

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:52312 -> 154.82.113.139:63701

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 154.82.113.139 ports 63701,0,1,3,6,7

Source: global traffic

TCP traffic: 192.168.2.4:52312 -> 154.82.113.139:63701

Source: Joe Sandbox View

ASN Name: ROOTNETWORKSUS ROOTNETWORKSUS

Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.139

Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: "https://www.facebook.com/iobitsoft equals www.facebook.com (Facebook)

Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004088000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ftp://http://HTTP/1.0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/active.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/moreuse.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/multi_app/app_db3promote.php?action=insert
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/other/db_driverinstall.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/other/db_extlink_download.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/other/db_temp_download.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/other/insert.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/usage.php
Source: e-SPT Masa PPh.exe, 00000000.00000002.2056646294.000000000A4F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digic
Source: e-SPT Masa PPh.exe, 00000000.00000003.2047271124.0000000008472000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2054374043.000000000849F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCeh
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: e-SPT Masa PPh.exe, 00000000.00000003.1668437439.0000000008497000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2047271124.0000000008472000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009D67000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000002.2056435084.000000000847F000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757661789.00000000084F5000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041949573.000000000561A000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2043031177.000000000561B000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2042854010.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041788366.00000000055FC000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757661789.000000000850C000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1752935670.0000000005641000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: e-SPT Masa PPh.exe, 00000000.00000003.1668437439.0000000008497000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2047271124.0000000008472000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009D67000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2054374043.000000000849F000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000002.2056465509.00000000084A0000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757661789.00000000084F5000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041949573.000000000561A000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2043031177.000000000561B000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2042854010.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041788366.00000000055FC000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757661789.000000000850C000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1752935670.0000000005641000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: e-SPT Masa PPh.exe, 00000000.00000003.1668437439.0000000008497000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009D67000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757661789.00000000084F5000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041949573.000000000561A000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2043031177.000000000561B000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2042854010.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041788366.00000000055FC000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757661789.000000000850C000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1752935670.0000000005641000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: e-SPT Masa PPh.exe, e-SPT Masa PPh.exe, 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009C4B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://collect.installeranalytics.com
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004088000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000043E4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: e-SPT Masa PPh.exe, 00000000.00000003.1668437439.0000000008497000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009D67000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757661789.00000000084F5000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041949573.000000000561A000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2043031177.000000000561B000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2042854010.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041788366.00000000055FC000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757661789.000000000850C000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1752935670.0000000005641000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: e-SPT Masa PPh.exe, 00000000.00000003.1668437439.0000000008497000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2047271124.0000000008472000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009D67000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2054374043.000000000849F000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000002.2056465509.00000000084A0000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757661789.00000000084F5000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041949573.000000000561A000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2043031177.000000000561B000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2042854010.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041788366.00000000055FC000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757661789.000000000850C000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1752935670.0000000005641000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: e-SPT Masa PPh.exe, 00000003.00000003.2041788366.00000000055FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRo
Source: e-SPT Masa PPh.exe, 00000000.00000003.2047271124.0000000008472000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2054374043.000000000849F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: e-SPT Masa PPh.exe, 00000000.00000002.2055181236.0000000005561000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2054031685.0000000005561000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041949573.000000000561A000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2043031177.000000000561B000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041788366.00000000055FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: e-SPT Masa PPh.exe, 00000000.00000002.2055181236.0000000005561000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2054031685.0000000005561000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2042956843.00000000055FF000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041788366.00000000055FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: e-SPT Masa PPh.exe, 00000000.00000003.1679759298.0000000008424000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1679438259.00000000083FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?24b5be3d5a225
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2100190046.000000006B296000.00000008.00000001.01000000.00000020.sdmp	String found in binary or memory: http://curl.haxx.se/V
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2100190046.000000006B296000.00000008.00000001.01000000.00000020.sdmp	String found in binary or memory: http://curl.haxx.se/docs/copyright.htmlDVarFileInfo$
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, Bor32-update-flase.exe, 00000012.00000002.2100016772.000000006B282000.00000002.00000001.01000000.00000020.sdmp	String found in binary or memory: http://curl.haxx.se/docs/http-cookies.html
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ec.360bc.cnhttp://www.eyybc.com/forumdisplay.php?fid=17/memcp.php/ip.asp/time.asp/gonggao.txt
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://forums.iobit.com/forum/driver-booster/driver-booster-5
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://forums.iobit.com/showthread.php?t=16792
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://idb.iobit.com/check.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://install-log.kuwo.cn/music.yl
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://klog.kuwo.cn/music.yl
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://klog.kuwo.cn/music.ylhttp://install-log.kuwo.cn/music.ylhttp://log.kuwo.cn/music.ylrwSend
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://log.kuwo.cn/music.yl
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: e-SPT Masa PPh.exe, 00000000.00000003.2047271124.0000000008472000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000002.2056435084.000000000847F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.c
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: e-SPT Masa PPh.exe, 00000000.00000003.1668437439.0000000008497000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2047271124.0000000008472000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009D67000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2054374043.000000000849F000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757661789.00000000084F5000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041949573.000000000561A000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2043031177.000000000561B000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2042854010.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041788366.00000000055FC000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757661789.000000000850C000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1752935670.0000000005641000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: e-SPT Masa PPh.exe, 00000000.00000003.1668437439.0000000008497000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009D67000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000002.2056646294.000000000A4F0000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757661789.00000000084F5000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041949573.000000000561A000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2043031177.000000000561B000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2042854010.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041788366.00000000055FC000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757661789.000000000850C000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1752935670.0000000005641000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: e-SPT Masa PPh.exe, 00000000.00000003.1668437439.0000000008497000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2047271124.0000000008472000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009D67000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2054374043.000000000849F000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000002.2056465509.00000000084A0000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757661789.00000000084F5000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041949573.000000000561A000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2043031177.000000000561B000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000002.2042854010.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.2041788366.00000000055FC000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757661789.000000000850C000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1752935670.0000000005641000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004088000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000043E4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com0_
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: e-SPT Masa PPh.exe	String found in binary or memory: http://schemas.micr
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcd.com0&
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stats.iobit.com/active_day.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stats.iobit.com/active_month.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stats.iobit.com/register.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stats.iotransfer.net/active.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw.symcd.com0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://t2.symcb.com0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcd.com0&
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004088000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000043E4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004088000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000043E4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004088000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000043E4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://update.iobit.com/infofiles/db2/Freeware-db.upt
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://update.iobit.com/infofiles/db2/db2_free.upt
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://update.iobit.com/infofiles/db2/db2_oth.upt
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://update.iobit.com/infofiles/db2/db2_pro.upt
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://update.iobit.com/infofiles/db3/embhtml/update.upt
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://updatestats.cd4o.com/api.php?act=update
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.360.cn
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.bsplayer.com
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cd4o.com/drivers/
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cd4o.com/drivers/wlst/v.json
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/language-subtag-registry
Source: Bor32-update-flase.exe, 00000012.00000002.2089424089.0000000000ADD000.00000020.00000001.01000000.0000001D.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=activateweb
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=activateweb-%d
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=bannerbuy
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=compare
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=dbproduct
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=download
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=expired
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=faq
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=feature
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=feedback
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=filerupt
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=forum
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=gaexpired
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=help
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=helptranslate
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=htmlfailed
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=index
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=install
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=likefb
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=lostcode
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=multipcexpired
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=othupdate
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=proupdate
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=purchase
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=purchase-%d
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=regexpired
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=reggaexpired
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=regovermax
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=revokedkey
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=update
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=usermanual
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=vertoold
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/cloud/db/index.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/compare/db/index.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/driver-booster-pro.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/faq.php?product=db
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/feedback/db/feedback.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/goto.php?id=dbproregister
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/goto.php?id=dbsurvey
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/goto.php?id=likefb01_DB
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/goto.php?id=plusgp01_DB
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/goto.php?id=plusgp01_DBU
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/hotquestions-db.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/install/db/index.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/lostcode.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/productfeedback.php?product=driver-booster
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004088000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000043E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kuwo.cn0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ludashi.com0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/rfc/bcp/bcp47.txt
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.super-ec.cn
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.com
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll1.2.3
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.zlib.net/D
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/BaiZhu/Request
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/DesktopComponent/GetPopupList
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/Device/ClientHardwareConfig
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/LockWallpaper/Get
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/LockWallpaper/Gethttps://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaperht
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaper
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/adApi/plugRecommendNew
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/adApi/plugRecommendNew%s?channel=%shttps://bizhi.hfnuola.com/pc/desktop
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/agg/StartUp
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/agg/hour
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/desktopSubject
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/fhbzApi/checkFile
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/v/AfterLocalSet
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/v/AfterLocalSethttps://bizhi.hfnuola.com/pc/DesktopComponent/GetPopupLi
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/v/FilterPayWallpaper
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/v/wallpaperInfoMulti
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/v/wallpaperInfoMulti%sFFSL.exe
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhiweb.hfnuola.com/clientNew/index.html
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhiweb.hfnuola.com/clientNew/index.htmlchrome-error://chromewebdata_err:firstNav_
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhiweb.hfnuola.com/web/advertising.html?type=
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhiweb.hfnuola.com/web/advertising.html?type=9IagJ4qlKos8A8lm
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhiweb.hfnuola.com/web/vip.htmlhttps://bizhiweb.hfnuola.com/web/payNew.html%s?channel=%s&p
Source: e-SPT Masa PPh.exe, e-SPT Masa PPh.exe, 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009C4B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://collect.installeranalytics.com
Source: e-SPT Masa PPh.exe, 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009C4B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0)
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hao.360.cnstrtolwcstombsmbstowcsiexplore.exe360chrome.exe360se.exeSafehmpgHelperkslaunchwsaf
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://idea.hfnuola.com
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://idea.hfnuola.com20012rgbautoStartauto_start_slienthideDesktopIconpauseVidoset_mute_on_fullsc
Source: e-SPT Masa PPh.exe	String found in binary or memory: https://installeranalytics.com
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://logs.hfnuola.com
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://s1.driverboosterscan.com/worker.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://s2.driverboosterscan.com/worker.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0B
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/iobitsoft
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088721362.0000000000964000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/03
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gnu.org/licenses/
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.hfnuola.com
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.hfnuola.com/select
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.itrus.com.cn0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/cps0/
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/repository0W

Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe

Code function: 18_2_009F0F5C OpenClipboard,GlobalAlloc,GlobalLock,EmptyClipboard,SetClipboardData,GlobalUnlock,

18_2_009F0F5C

Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe

Code function: 18_2_009F0F5C OpenClipboard,GlobalAlloc,GlobalLock,EmptyClipboard,SetClipboardData,GlobalUnlock,

18_2_009F0F5C

Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe

Code function: 18_2_009DC328 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,

18_2_009DC328

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00BCA0D0 SendMessageW,GetParent,GetWindowRect,GetParent,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,MapWindowPoints,FillRect,DeleteDC,SendMessageW,SendMessageW,

0_2_00BCA0D0

Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe

Code function: 18_2_00A17AD4 GetMessagePos,GetKeyboardState,

18_2_00A17AD4

Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_5dac831d-4

Source: Yara match

File source: Process Memory Space: e8a0d5af432b7e64DBD.exe PID: 8184, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Yara detected BlackMoon Ransomware

Source: Yara match	File source: 18.2.Bor32-update-flase.exe.2f3950e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Bor32-update-flase.exe.2f3950e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bor32-update-flase.exe PID: 7504, type: MEMORYSTR

Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe

Code function: 18_2_00A4F1A0 OpenDesktopA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateDesktopA,

18_2_00A4F1A0

System Summary

Malicious sample detected (through community Yara rule)

Source: 18.2.Bor32-update-flase.exe.2f3950e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 18.2.Bor32-update-flase.exe.2f3950e.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll, type: DROPPED	Matched rule: Detects Mimikatz by using some special strings Author: Florian Roth
Source: C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll, type: DROPPED	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll, type: DROPPED	Matched rule: Detects Mimikatz by using some special strings Author: Florian Roth
Source: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll, type: DROPPED	Matched rule: Detects Mimikatz strings Author: Florian Roth

Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00BA82D0 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,GetSysColor,	0_2_00BA82D0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C3BBB0 NtdllDefWindowProc_W,	0_2_00C3BBB0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AC8480 NtdllDefWindowProc_W,GetSysColor,	0_2_00AC8480
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00B864E0 NtdllDefWindowProc_W,	0_2_00B864E0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AD2590 NtdllDefWindowProc_W,	0_2_00AD2590
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00ACA680 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,	0_2_00ACA680
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AD2700 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00AD2700
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00ADE8F0 NtdllDefWindowProc_W,	0_2_00ADE8F0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AECC50 NtdllDefWindowProc_W,	0_2_00AECC50
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00ACAE70 NtdllDefWindowProc_W,	0_2_00ACAE70
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AD8F00 KillTimer,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,	0_2_00AD8F00
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00ACB4D0 NtdllDefWindowProc_W,	0_2_00ACB4D0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AC7600 GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,NtdllDefWindowProc_W,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00AC7600
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00B31640 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00B31640
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AC7DD0 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,SysFreeString,	0_2_00AC7DD0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00BA82D0 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,	3_2_00BA82D0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AC8480 NtdllDefWindowProc_W,	3_2_00AC8480
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00B864E0 NtdllDefWindowProc_W,	3_2_00B864E0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00ACB4D0 NtdllDefWindowProc_W,	3_2_00ACB4D0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AD2590 NtdllDefWindowProc_W,	3_2_00AD2590
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00ACA680 NtdllDefWindowProc_W,	3_2_00ACA680
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AC7600 NtdllDefWindowProc_W,NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,NtdllDefWindowProc_W,	3_2_00AC7600
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00B31640 NtdllDefWindowProc_W,	3_2_00B31640
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AD2700 NtdllDefWindowProc_W,	3_2_00AD2700
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00ADE8F0 NtdllDefWindowProc_W,	3_2_00ADE8F0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AECC50 NtdllDefWindowProc_W,	3_2_00AECC50
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00ACAE70 NtdllDefWindowProc_W,	3_2_00ACAE70
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AD8F00 NtdllDefWindowProc_W,DeleteCriticalSection,	3_2_00AD8F00
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_008969D8 inet_addr,ntohl,lstrcmpiA,	18_2_008969D8
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00896A24 ntohl,inet_ntoa,	18_2_00896A24
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A4CA0C inet_addr,ntohl,lstrcmpiA,	18_2_00A4CA0C
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A4CA58 ntohl,inet_ntoa,	18_2_00A4CA58

Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe

Code function: 9_2_00C7A063: __EH_prolog3,GetFileInformationByHandle,DeviceIoControl,

9_2_00C7A063

Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe

File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGXlong.sys

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3df3bd.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB1E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB8C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBCC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC0B.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC5A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC7A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1A66.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1A96.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1B81.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D33.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\SysWOW64\libjyy.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIB1E.tmp

Jump to behavior

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00BF6710	0_2_00BF6710
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C08AE0	0_2_00C08AE0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C04A60	0_2_00C04A60
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C332B0	0_2_00C332B0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C4D2B0	0_2_00C4D2B0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00ADF580	0_2_00ADF580
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C19F30	0_2_00C19F30
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C5A310	0_2_00C5A310
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AEE370	0_2_00AEE370
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00CDE4BF	0_2_00CDE4BF
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AE6440	0_2_00AE6440
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AE25B3	0_2_00AE25B3
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00CCC6B0	0_2_00CCC6B0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00CD48D3	0_2_00CD48D3
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C9E8E0	0_2_00C9E8E0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00BCA930	0_2_00BCA930
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AF2970	0_2_00AF2970
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00B34B50	0_2_00B34B50
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00CC4CCE	0_2_00CC4CCE
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AE4C80	0_2_00AE4C80
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C50C60	0_2_00C50C60
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AD2C40	0_2_00AD2C40
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00ADAF20	0_2_00ADAF20
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00D7EF0C	0_2_00D7EF0C
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C510D0	0_2_00C510D0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00CC505C	0_2_00CC505C
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00ADF010	0_2_00ADF010
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AB3480	0_2_00AB3480
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AB1490	0_2_00AB1490
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AEF5B0	0_2_00AEF5B0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00D4951C	0_2_00D4951C
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00CA5500	0_2_00CA5500
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00D49518	0_2_00D49518
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00D49508	0_2_00D49508
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00D49520	0_2_00D49520
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C496C0	0_2_00C496C0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C5D8F0	0_2_00C5D8F0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AB7AA0	0_2_00AB7AA0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00ADFDE0	0_2_00ADFDE0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C3DD60	0_2_00C3DD60
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C51E70	0_2_00C51E70
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C5EB500	0_2_6C5EB500
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C5F12D0	0_2_6C5F12D0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C609C10	0_2_6C609C10
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C5FAD40	0_2_6C5FAD40
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C609D20	0_2_6C609D20
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C615EDC	0_2_6C615EDC
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C60A960	0_2_6C60A960
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C617AB0	0_2_6C617AB0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C5F7B50	0_2_6C5F7B50
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C5EE4E0	0_2_6C5EE4E0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C61E607	0_2_6C61E607
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C620692	0_2_6C620692
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C6071E0	0_2_6C6071E0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C627182	0_2_6C627182
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C5E21B0	0_2_6C5E21B0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C61626A	0_2_6C61626A
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C5ED240	0_2_6C5ED240
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055CD03E	0_3_055CD03E
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00ADF580	3_2_00ADF580
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00C04A60	3_2_00C04A60
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00C510D0	3_2_00C510D0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00ADF010	3_2_00ADF010
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00C4D2B0	3_2_00C4D2B0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00C5A310	3_2_00C5A310
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AEE370	3_2_00AEE370
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AB3480	3_2_00AB3480
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AB1490	3_2_00AB1490
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AE6440	3_2_00AE6440
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AE25B3	3_2_00AE25B3
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AEF5B0	3_2_00AEF5B0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00C496C0	3_2_00C496C0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00C5D8F0	3_2_00C5D8F0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AF29F3	3_2_00AF29F3
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00BCA930	3_2_00BCA930
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AB7AA0	3_2_00AB7AA0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00B34B50	3_2_00B34B50
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AE4C80	3_2_00AE4C80
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00C50C60	3_2_00C50C60
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AD2C40	3_2_00AD2C40
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00ADFDE0	3_2_00ADFDE0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00C51E70	3_2_00C51E70
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00ADAF20	3_2_00ADAF20
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Code function: 8_2_00D6D237	8_2_00D6D237
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C923DA	9_2_00C923DA
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C9E319	9_2_00C9E319
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C945F7	9_2_00C945F7
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CAEB3E	9_2_00CAEB3E
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C7C09C	9_2_00C7C09C
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CEC140	9_2_00CEC140
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CD0104	9_2_00CD0104
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CAC111	9_2_00CAC111
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CD0361	9_2_00CD0361
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CD05BE	9_2_00CD05BE
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CB6565	9_2_00CB6565
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CEC680	9_2_00CEC680
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C84712	9_2_00C84712
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CB68D7	9_2_00CB68D7
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CBA8BE	9_2_00CBA8BE
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CD082A	9_2_00CD082A
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C8EAC4	9_2_00C8EAC4
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C98A0D	9_2_00C98A0D
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CB6B81	9_2_00CB6B81
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CECB30	9_2_00CECB30
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CEACC2	9_2_00CEACC2
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CA8EC1	9_2_00CA8EC1
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CB6E48	9_2_00CB6E48
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C8AE29	9_2_00C8AE29
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CCEF0B	9_2_00CCEF0B
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CB7103	9_2_00CB7103
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C71000	9_2_00C71000
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CCF13A	9_2_00CCF13A
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C97395	9_2_00C97395
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C8F352	9_2_00C8F352
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CCF374	9_2_00CCF374
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C7D490	9_2_00C7D490
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CC34AD	9_2_00CC34AD
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C915F5	9_2_00C915F5
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CCF5A3	9_2_00CCF5A3
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C8D6F3	9_2_00C8D6F3
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CCF7D2	9_2_00CCF7D2
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C8F783	9_2_00C8F783
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CF1890	9_2_00CF1890
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CA59C7	9_2_00CA59C7
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CCFA0C	9_2_00CCFA0C
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C8FCAB	9_2_00C8FCAB
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CCFC3B	9_2_00CCFC3B
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CCFE98	9_2_00CCFE98
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_008522F4	18_2_008522F4
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A3629C	18_2_00A3629C
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A2C3E8	18_2_00A2C3E8
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_009823E4	18_2_009823E4
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00986510	18_2_00986510
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A2A6B0	18_2_00A2A6B0
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A366CC	18_2_00A366CC
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A087D0	18_2_00A087D0
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A369C8	18_2_00A369C8
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A2AA79	18_2_00A2AA79
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A38E88	18_2_00A38E88
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A35094	18_2_00A35094
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A35510	18_2_00A35510
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A37628	18_2_00A37628
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A2F668	18_2_00A2F668
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_009F77F4	18_2_009F77F4
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A31B34	18_2_00A31B34
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A2AE5C	18_2_00A2AE5C

Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe

Process token adjusted: Security

Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: String function: 00CDBEAC appears 31 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: String function: 00CC0FCC appears 87 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: String function: 00CB2F70 appears 63 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: String function: 00CB31BA appears 36 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: String function: 00CD9CD9 appears 60 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: String function: 00CB31A7 appears 32 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: String function: 00CB3225 appears 36 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: String function: 00CB31F1 appears 336 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: String function: 00CB325C appears 35 times
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: String function: 00AB9300 appears 239 times
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: String function: 00CBD400 appears 38 times
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: String function: 00AD4AD0 appears 47 times
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: String function: 00ABA840 appears 66 times
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: String function: 00CBCA24 appears 59 times
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: String function: 00BE2340 appears 56 times
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: String function: 00CB9CA7 appears 45 times
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: String function: 00AB87D0 appears 100 times
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: String function: 6C60EED0 appears 50 times
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: String function: 00AB8880 appears 60 times
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: String function: 00ABAE80 appears 85 times
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: String function: 00CD6031 appears 33 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Code function: String function: 00D629E0 appears 33 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: String function: 00992524 appears 33 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: String function: 008551FC appears 36 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: String function: 00854F08 appears 38 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: String function: 009A9318 appears 96 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: String function: 00985274 appears 34 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: String function: 0098514C appears 32 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: String function: 00987C18 appears 82 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: String function: 00854EE4 appears 116 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: String function: 00985220 appears 44 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: String function: 00872FEC appears 97 times
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: String function: 00985538 appears 36 times

Source: e-SPT Masa PPh.exe

Static PE information: invalid certificate

Source: e-SPT Masa PPh.exe	Static PE information: Resource name: RT_VERSION type: PDP-11 overlaid pure executable not stripped
Source: fixsc.dll.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: fixsc64.dll.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: libcurrant.dll.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: libzdtp.dll.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: libzdtp64.dll.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: fixsc.dll.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: fixsc64.dll.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: e-SPT Masa PPh.exe, 00000000.00000003.1682984141.0000000009B67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs e-SPT Masa PPh.exe
Source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009C4B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs e-SPT Masa PPh.exe
Source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009D67000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInstallerAnalytics.dllF vs e-SPT Masa PPh.exe
Source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009D67000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs e-SPT Masa PPh.exe
Source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs e-SPT Masa PPh.exe
Source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrereq.dllF vs e-SPT Masa PPh.exe
Source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs e-SPT Masa PPh.exe
Source: e-SPT Masa PPh.exe, 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenameInstallerAnalytics.dllF vs e-SPT Masa PPh.exe
Source: e-SPT Masa PPh.exe, 00000000.00000003.1668437439.0000000008480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs e-SPT Masa PPh.exe
Source: e-SPT Masa PPh.exe, 00000003.00000003.1752731123.000000000564B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs e-SPT Masa PPh.exe
Source: e-SPT Masa PPh.exe, 00000003.00000003.1757532027.0000000008516000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs e-SPT Masa PPh.exe
Source: e-SPT Masa PPh.exe, 00000003.00000003.1758799240.00000000079DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs e-SPT Masa PPh.exe

Source: e-SPT Masa PPh.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 18.2.Bor32-update-flase.exe.2f3950e.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 18.2.Bor32-update-flase.exe.2f3950e.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll, type: DROPPED	Matched rule: Mimikatz_Gen_Strings date = 2017-06-19, hash3 = f35b589c1cc1c98c4c4a5123fd217bdf0d987c00d2561992cbfb94bd75920159, hash2 = eefd4c038afa0e80cf6521c69644e286df08c0883f94245902383f50feac0f85, author = Florian Roth, description = Detects Mimikatz by using some special strings, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 058cc8b3e4e4055f3be460332a62eb4cbef41e3a7832aceb8119fd99fea771c4
Source: C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll, type: DROPPED	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll, type: DROPPED	Matched rule: Mimikatz_Gen_Strings date = 2017-06-19, hash3 = f35b589c1cc1c98c4c4a5123fd217bdf0d987c00d2561992cbfb94bd75920159, hash2 = eefd4c038afa0e80cf6521c69644e286df08c0883f94245902383f50feac0f85, author = Florian Roth, description = Detects Mimikatz by using some special strings, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 058cc8b3e4e4055f3be460332a62eb4cbef41e3a7832aceb8119fd99fea771c4
Source: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll, type: DROPPED	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: D:\dbs\el\ddvsm\out\Intermediate\vscommon\perfwatson2.csproj_FB008427_ret\objr\amd64\PerfWatson2.pdb

Source: classification engine

Classification label: mal84.rans.troj.spyw.evad.winEXE@23/437@0/1

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00BF18D0 FormatMessageW,GetLastError,

0_2_00BF18D0

Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C8828A GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		9_2_00C8828A
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C7B687 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,FreeLibrary,		9_2_00C7B687

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00C25A70 GetDiskFreeSpaceExW,

0_2_00C25A70

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00C406B0 CoCreateInstance,

0_2_00C406B0

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00ABA700 LoadResource,LockResource,SizeofResource,

0_2_00ABA700

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

File created: C:\Program Files (x86)\WindowsInstallerIC

Jump to behavior

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

File created: C:\Users\user\AppData\Local\AdvinstAnalytics

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1052:120:WilError_03
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Mutant created: \Sessions\1\BaseNamedObjects\??
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Mutant created: \Sessions\1\BaseNamedObjects\NIpizDg64rfvhLyrCQMywaHQBENjzMv1R6uEoR8NfcvFEqARIU

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

File created: C:\Users\user\AppData\Local\Temp\INA4807.tmp

Jump to behavior

Source: Yara match	File source: 15.0.Bor32-update-flase.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.2042743585.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1984404151.0000000002C66000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\rtl120.bpl, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe, type: DROPPED

Source: e-SPT Masa PPh.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: e-SPT Masa PPh.exe	String found in binary or memory: https://installeranalytics.com
Source: Bor32-update-flase.exe	String found in binary or memory: ISO_6937-2-add
Source: Bor32-update-flase.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: Bor32-update-flase.exe	String found in binary or memory: jp-ocr-b-add
Source: Bor32-update-flase.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: Bor32-update-flase.exe	String found in binary or memory: jp-ocr-hand-add
Source: Bor32-update-flase.exe	String found in binary or memory: NATS-DANO-ADD
Source: Bor32-update-flase.exe	String found in binary or memory: NATS-SEFI-ADD
Source: Bor32-update-flase.exe	String found in binary or memory: addon-installstart
Source: Bor32-update-flase.exe	String found in binary or memory: addon-installover

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

File read: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\e-SPT Masa PPh.exe "C:\Users\user\Desktop\e-SPT Masa PPh.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E68703343D1710A5BD8674B125AC70C2 C
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Process created: C:\Users\user\Desktop\e-SPT Masa PPh.exe "C:\Users\user\Desktop\e-SPT Masa PPh.exe" /i "C:\Program Files (x86)\WindowsInstallerIC\7AF5081\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\IkCWSTWLLRQX" SECONDSEQUENCE="1" CLIENTPROCESSID="7304" AI_MORE_CMD_LINE=1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 129C99B55643455FEF40AE203A6AF1CF
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe "C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe"
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\LJBPHRBSRLCI.FNG" -o"C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32" -pIWLHTVJXHINUWUFBWIU -aos -y
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\KKVIOQVTEUTA.OKO" -o"C:\Program Files (x86)\IkCWSTWLLRQX" -pRFOLHRLVLKWUMQMLJJA -aos -y
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\FNCUNPTNLBMW.DNA" -o"C:\Users\user\AppData\Roaming" -pAEXIKRSDXTBGHJSHHPK -aos -y
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe "C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe"
Source: unknown	Process created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe "C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe"
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Process created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe "C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe"
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Process created: C:\Users\user\Desktop\e-SPT Masa PPh.exe "C:\Users\user\Desktop\e-SPT Masa PPh.exe" /i "C:\Program Files (x86)\WindowsInstallerIC\7AF5081\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\IkCWSTWLLRQX" SECONDSEQUENCE="1" CLIENTPROCESSID="7304" AI_MORE_CMD_LINE=1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E68703343D1710A5BD8674B125AC70C2 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 129C99B55643455FEF40AE203A6AF1CF	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe "C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe"	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\LJBPHRBSRLCI.FNG" -o"C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32" -pIWLHTVJXHINUWUFBWIU -aos -y	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\KKVIOQVTEUTA.OKO" -o"C:\Program Files (x86)\IkCWSTWLLRQX" -pRFOLHRLVLKWUMQMLJJA -aos -y	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\FNCUNPTNLBMW.DNA" -o"C:\Users\user\AppData\Roaming" -pAEXIKRSDXTBGHJSHHPK -aos -y	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Process created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe "C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe"

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: libjyy.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: upsdk.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: tdpcontrol.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: tdpstat.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: libcurl.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: tdpstat.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: tdpinfo.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: wship6.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: hipsdiamain.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: msvcr100.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: napinsp.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: wshbth.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: winrnr.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: libmini.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: netdevenvspeed.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: dinput8.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: hid.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: ksuser.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: avrt.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: audioses.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: midimap.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Section loaded: msvfw32.dll

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

File written: C:\Users\user\AppData\Local\AdvinstAnalytics\6627be3e20a59ade4c1add8b\1.1.6\tracking.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: e-SPT Masa PPh.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: e-SPT Masa PPh.exe

Static file information: File size 29409880 > 1048576

Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe

File opened: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.VC90.CRT\msvcr90.dll

Source: e-SPT Masa PPh.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x298000

Source: e-SPT Masa PPh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: e-SPT Masa PPh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: e-SPT Masa PPh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: e-SPT Masa PPh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: e-SPT Masa PPh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: e-SPT Masa PPh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: e-SPT Masa PPh.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: e-SPT Masa PPh.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wininet.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.1682984141.0000000009B67000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1758799240.00000000079DC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\oDayProtect.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A09000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\ddvsm\out\Intermediate\vscommon\perfwatson2.csproj_FB008427_ret\objr\amd64\PerfWatson2.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScan.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp100.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000043E4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-21885936\cayman_zlib\build\release\win32_vc140\zlib\build\zlib1.pdb$$ source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLayoutMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQPCHwNetwork.pdbRR#GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmauthd-log\win32\release\vmauthd.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622859\src\x\x86_ntvbld\objfre_win7_x86\i386\ntvbld.pdb` source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQFileFlt.pdb.. GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-19436861\cayman_gettext\gettext\MSVC14\libintl_dll\Release\libintl_dll.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\gitproj\7z2201-src\CPP\7zip\UI\Console\Release\Console.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000002.2008215461.0000000000CF8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000000.1968333923.0000000000CF8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000002.2025179001.0000000000CF8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000000.2008735464.0000000000CF8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000D.00000002.2026989357.0000000000CF8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000D.00000000.2025700023.0000000000CF8000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLayoutMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb!! source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\MemDefrag.pdbII#GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\obj\VS\Microsoft.VisualStudio.Web.Host\Release\Microsoft.VisualStudio.Web.Host.pdbf source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\HTTPRequest.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScanX64.pdb'' GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLib.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb% source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2088367903.0000000000738000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036F0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMEventBus.pdb source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScan.pdbLL%GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mfc90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004088000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\etcp5.0\Release\etcp.pdb source: Bor32-update-flase.exe, 00000012.00000002.2088367903.0000000000730000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: libEGL.dll.pdbs source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp120.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.000000000450B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003B42000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr80.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003B42000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, Bor32-update-flase.exe, 00000012.00000002.2098796900.000000006B181000.00000020.00000001.01000000.00000016.sdmp
Source:	Binary string: d:\build\ob\bora-19436861\cayman_gettext\gettext\MSVC14\libintl_dll\Release\libintl_dll.pdb11 source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\8168\vc98\dev\bin\vcspawn.pdbMZ source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr120.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMDns.pdbDD!GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar32\Release\RAR.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMDns.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp110.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000043E4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwCommonUI.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wininet.pdbUGP source: e-SPT Masa PPh.exe, 00000000.00000003.1682984141.0000000009B67000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1758799240.00000000079DC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622869\src\x\x64_ntvbld\objfre_win7_amd64\amd64\ntvbld64.pdbL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\oDayProtect.pdbAA#GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622859\src\x\x86_ntvbld\objfre_win7_x86\i386\ntvbld.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp80.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.000000000450B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: h:\ch1\src\sandbox\wow_helper\wow_helper.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\8168\vc98\dev\bin\vcspawn.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMEventBus.pdbZZ source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr110.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\419058\out\Release\360AppCore.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2019041869.00000000036FF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2018781654.00000000034F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQPCHwNetwork.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\fhbemb\src\bin\Release\fhjyy.pdb source: fhjyy.exe, 00000008.00000002.2027520965.0000000000D6E000.00000002.00000001.01000000.0000000B.sdmp, fhjyy.exe, 00000008.00000000.1966251587.0000000000D6E000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\test\intelligentDemo\PackageMgr\Release\PackageMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScanX64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\kwlogsvr.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMAVProxy.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLib.pdbp source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.000000000450B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003B42000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: h:\ch1\src\sandbox\wow_helper\wow_helper.pdbp source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-19188697\cayman_glib\glib\src\build\win32\vs14\Release\Win32\bin\gmodule-2.0.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\fhbemb\src\bin\Release_NL\fhbmini.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, Haloonoroff.exe, 00000013.00000000.2082698409.0000000000D2E000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\368203\out\Release\HipsLog.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: e-SPT Masa PPh.exe
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb.. source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.000000000450B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003B42000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMRtpDLL.pdbWW'GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQFileFlt.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.000000000450B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003B42000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: libEGL.dll.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\WallPaper_feihuo\windows\FFWallpaper\bin\Release\bfcipc.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \WallPaper\windows\FFWallpaper\bin\Release\FFWallpaper.pdb source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622869\src\x\x64_ntvbld\objfre_win7_amd64\amd64\ntvbld64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb-- source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009D67000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1668437439.0000000008480000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1752731123.000000000564B000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000003.00000003.1757532027.0000000008516000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-21885936\cayman_zlib\build\release\win32_vc140\zlib\build\zlib1.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\obj\VS\Microsoft.VisualStudio.Web.Host\Release\Microsoft.VisualStudio.Web.Host.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMRtpDLL.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\MemDefrag.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\basichttp\win32\release\basichttp.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallerAnalytics.pdb source: e-SPT Masa PPh.exe, 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009C4B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\test\intelligentDemo\PackageMgr\Release\PackageMgr.pdb//' source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMAVProxy.pdb__(GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp

Source: e-SPT Masa PPh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: e-SPT Masa PPh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: e-SPT Masa PPh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: e-SPT Masa PPh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: e-SPT Masa PPh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: shi4857.tmp.0.dr

Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00C04A60 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,LoadLibraryW,GetProcAddress,GetEnvironmentVariableW,SHGetPathFromIDListW,SHGetMalloc,

0_2_00C04A60

Source: e-SPT Masa PPh.exe	Static PE information: section name: .didat
Source: NetmTray.dll.0.dr	Static PE information: section name: .menu_sh
Source: NetmTray64.dll.0.dr	Static PE information: section name: .menu_sh
Source: npaxlogin.dll.0.dr	Static PE information: section name: .orpc
Source: Ntvbld64.dll.0.dr	Static PE information: section name: .share
Source: HackPatch.dll.0.dr	Static PE information: section name: PlugImm
Source: HotfixCommon.dll.0.dr	Static PE information: section name: .detourc
Source: HotfixCommon.dll.0.dr	Static PE information: section name: .detourd
Source: HotfixCommon64.dll.0.dr	Static PE information: section name: .detourc
Source: HotfixCommon64.dll.0.dr	Static PE information: section name: .detourd
Source: ieplus.dll.0.dr	Static PE information: section name: .360_iep
Source: ieplus64.dll.0.dr	Static PE information: section name: .360_iep
Source: iNetSafe.dll.0.dr	Static PE information: section name: .shared
Source: iNetSafe64.dll.0.dr	Static PE information: section name: .detourc
Source: iNetSafe64.dll.0.dr	Static PE information: section name: .detourd
Source: libzdtp.dll.0.dr	Static PE information: section name: .detourc
Source: libzdtp.dll.0.dr	Static PE information: section name: .detourd
Source: libzdtp64.dll.0.dr	Static PE information: section name: .detourc
Source: libzdtp64.dll.0.dr	Static PE information: section name: .detourd
Source: shi4857.tmp.0.dr	Static PE information: section name: .wpp_sf
Source: shi4857.tmp.0.dr	Static PE information: section name: .didat
Source: NetmTray.dll.1.dr	Static PE information: section name: .menu_sh
Source: NetmTray64.dll.1.dr	Static PE information: section name: .menu_sh
Source: npaxlogin.dll.1.dr	Static PE information: section name: .orpc
Source: Ntvbld64.dll.1.dr	Static PE information: section name: .share
Source: HackPatch.dll.1.dr	Static PE information: section name: PlugImm
Source: HotfixCommon.dll.1.dr	Static PE information: section name: .detourc
Source: HotfixCommon.dll.1.dr	Static PE information: section name: .detourd
Source: HotfixCommon64.dll.1.dr	Static PE information: section name: .detourc
Source: HotfixCommon64.dll.1.dr	Static PE information: section name: .detourd
Source: ieplus.dll.1.dr	Static PE information: section name: .360_iep
Source: ieplus64.dll.1.dr	Static PE information: section name: .360_iep
Source: iNetSafe.dll.1.dr	Static PE information: section name: .shared

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055C784D push ebx; ret	0_3_055C785F
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055C784D push ebx; ret	0_3_055C785F
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055C784D push ebx; ret	0_3_055C785F
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055C784D push ebx; ret	0_3_055C785F
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055CC914 push esi; retf	0_3_055CC917
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055CC914 push esi; retf	0_3_055CC917
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055CC914 push esi; retf	0_3_055CC917
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055CC914 push esi; retf	0_3_055CC917
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055C784D push ebx; ret	0_3_055C785F
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055C784D push ebx; ret	0_3_055C785F
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055C784D push ebx; ret	0_3_055C785F
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055C784D push ebx; ret	0_3_055C785F
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055CC914 push esi; retf	0_3_055CC917
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055CC914 push esi; retf	0_3_055CC917
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055CC914 push esi; retf	0_3_055CC917
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055CC914 push esi; retf	0_3_055CC917
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055C784D push ebx; ret	0_3_055C785F
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055C784D push ebx; ret	0_3_055C785F
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055C784D push ebx; ret	0_3_055C785F
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055C784D push ebx; ret	0_3_055C785F
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055CC914 push esi; retf	0_3_055CC917
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055CC914 push esi; retf	0_3_055CC917
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055CC914 push esi; retf	0_3_055CC917
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055CC914 push esi; retf	0_3_055CC917
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_05545B2A push 699A677Fh; iretd	0_3_05545B2F
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055456D4 push es; ret	0_3_055456E5
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_0553C9A2 pushad ; iretd	0_3_0553CEA9
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055C784D push ebx; ret	0_3_055C785F
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055C784D push ebx; ret	0_3_055C785F
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055C784D push ebx; ret	0_3_055C785F
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_3_055C784D push ebx; ret	0_3_055C785F

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe

File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGXlong.sys

Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QMAVProxy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ntvbld.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\filemgr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LeakFixHelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\probe.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\iNetSafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\OTGContainer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File created: C:\Users\user\AppData\Local\Temp\1736323119\....\Microsoft.TransCompositio.msi (copy)	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.VC90.CRT\msvcp90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\mobileflux.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\hipslog.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QQPCHwNetwork.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\jpnative32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\libcurrant.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\libgravity.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\MSI54B0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC0B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\PopSoftEng.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\MiniUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\MSI55ED.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Local\Temp\4100640\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\NetmonEP.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\GmeApi64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\npaxlogin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\KwLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\libcurl.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\HipsdiaMain.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File created: C:\Users\user\AppData\Local\Temp\31563\....\Microsoft.TransCompositib.msi (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\NotifyDown.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\fhjyy.exe	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Local\Temp\4100578\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QMOfficeScanX64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\QseCore.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\TDPSTAT.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\HipsLogCenter.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\npaxlogin.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\KwLayoutMgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\libcurl.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcr110.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB8C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetDiagDll.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\iNetSafe64.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp90.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\XLGameUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcr80.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libzdtp64.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\np360SoftMgr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\probe.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\Netgm.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Ntvbld64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\MSI4943.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\madDisAsm_.bpl	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetDefender.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\MSI49D2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\NetmLogin.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\fixsc64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\qutmload.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\ieplus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\libzdtp64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\lockkrnl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\filemgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140_1.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\DrawContent\DrawContentNoname.exe	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\MSI559E.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Local\Temp\4100609\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetSpeed.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\UPSDK.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1A96.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HipsLogCenter.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\KwLogSvr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\MSI54EF.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libzdtp.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\ntvbld.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ieplus.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shiD598.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D33.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\SysWOW64\libjyy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\heavygate.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\lco.exe	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\np360SoftMgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\NetmTray.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shiE18F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LeakFixHelper64.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\vmauthd.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\shi4857.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\MSI4982.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ieplus64.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp120.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\MSI554F.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcr120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Gme.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp140_2.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\zip.exe	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\imhelper.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\ATellPhon	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\vcruntime140.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Local\Temp\4099546\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\LeakFixHelper64.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\mobileflux.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\NetDefender.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\MSI609F.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\RX.EXE	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\APXmodule-2.0.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\qutmipc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\fixsc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\GmeApi.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp110.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LiveUpd360.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\qroscfg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\pluginmgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Agent	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBCC.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\ebHost.exe	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140_2.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\rar.exe	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\TDPINFO.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\MSI48E4.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\MSID4B7.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NotifyDown.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\vclx120.bpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC7A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ImAVEng.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Local\Temp\4100671\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\jpnative64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\fixsc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\libzdtp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\LiveUpd360.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp80.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\iNetSafe64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\PDown.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\QseCore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB1E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\NetDiagDll.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.Bcl.AsyncInterfaces.exe	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\shiF13D.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\zlib1.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMAVProxy.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\TDPCONTROL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\ntvbld.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Local\Temp\4099515\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\NetSpeed.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\vcl120.bpl	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\pp_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\WHelp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmTray64.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shiE1FD.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMEventBus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\netmstart.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\PopSoftEng.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\netmstart.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\madBasic_.bpl	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QMRtpDLL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Hamster.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\MiniUI.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMDns.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\jpnative32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmonEP.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi64.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\KwCommonUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1A66.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\hipslog.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\MSID497.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\Gme.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qutmload.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\oDayProtect.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QMDns.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\INA4807.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmLogin.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QQFileFlt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libcurrant.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\iNetSafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\bfcipc.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp140.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\MemDefrag.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC5A.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\Hamster.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\intl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\fixsc64.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\bpchelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\Ntvbld64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\leakrepair.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HotfixCommon.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\BBC.exe	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp100.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcr100.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Watson2.exe	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Local\Temp\4099609\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\NetmTray64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File created: C:\Users\user\AppData\Local\Temp\11561\....\Microsoft.TransCompositia.msi (copy)	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\madExcept_.bpl	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libscent35.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shiD529.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QMOfficeScan.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Netgm.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\hipslog.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\MSI563C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\MSI606F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\PDown.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ipcservice.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\PackageMgr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\pluginmgr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\jpnative64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\heavygate.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\imhelper.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\TPClnVM.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\MSI551F.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.VC90.CRT\msvcr90.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcr120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\lzmaextractor.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\APXhttp.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\iopdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\rtl120.bpl	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libgravity.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\ieplus64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\leakrepair.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\PackageMgr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\lockkrnl.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\oDayProtect.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\LeakFixHelper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmTray.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HotfixCommon64.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\N0vaDesktop.exe	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\NetDevenvSpeed.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\ImAVEng.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Ntvbld64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qroscfg.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.VC90.MFC\mfc90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\ipcservice.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\http.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qutmipc.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\PSpendZ.exe	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\libmini.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcr110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IkCWSTWLLRQX\libscent35.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\7z.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB1E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB8C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D33.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\SysWOW64\libjyy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC5A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC7A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1A66.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1A96.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBCC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC0B.tmp	Jump to dropped file

Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\vcl120.bpl	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\vclx120.bpl	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Agent	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\ATellPhon	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\madBasic_.bpl	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\madDisAsm_.bpl	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\madExcept_.bpl	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\rtl120.bpl	Jump to dropped file

Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe

Code function: 8_2_6C2011C0 ProcessMain,memset,CoInitialize,CoCreateGuid,CoCreateGuid,CoUninitialize,memset,lstrlenW,memset,memset,memset,memset,memset,memset,memset,memset,memset,_wcsrev,memset,lstrcatW,lstrcatW,memset,memset,memset,memset,memset,memset,memset,memset,memset,lstrcmpW,lstrcmpW,lstrcmpW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,memset,wsprintfW,wsprintfW,memset,wsprintfW,memset,wsprintfW,ShellExecuteExW,WaitForSingleObject,CloseHandle,WaitForSingleObject,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,exit,

8_2_6C2011C0

Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Zlsckp81706femtb

Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_009E05DC IsIconic,GetWindowPlacement,GetWindowRect,	18_2_009E05DC
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A1A5DC IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	18_2_00A1A5DC
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_009F4990 IsIconic,	18_2_009F4990
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_009F4A0C GetWindowLongA,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongA,SetWindowLongA,ShowWindow,ShowWindow,	18_2_009F4A0C
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A1B054 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	18_2_00A1B054
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A19CD4 IsIconic,GetCapture,	18_2_00A19CD4

Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe

Code function: 18_2_00A200BC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,

18_2_00A200BC

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT	Jump to behavior

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe

Code function: 18_2_008980EC

18_2_008980EC

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\msiexec.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File opened / queried: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Optimizat\themes\ovf-vmware.xsd
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	File opened / queried: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Optimizat\themes\ovfenv-vmware.xsd

Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

18_2_009FDE9C

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: GetAdaptersInfo,

0_2_6C5DF8D0

Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe

Thread delayed: delay time: 86400000

Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Window / User API: threadDelayed 1439
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Window / User API: threadDelayed 408
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Window / User API: threadDelayed 1931
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Window / User API: threadDelayed 1720
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Window / User API: foregroundWindowGot 1760

Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QMAVProxy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ntvbld.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\filemgr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LeakFixHelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\probe.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\iNetSafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\OTGContainer.exe	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.VC90.CRT\msvcp90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\hipslog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\mobileflux.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QQPCHwNetwork.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\libcurrant.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\jpnative32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\libgravity.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI54B0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\PopSoftEng.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC0B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\MiniUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI55ED.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4100640\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\NetmonEP.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\GmeApi64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\npaxlogin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\KwLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\31563\....\Microsoft.TransCompositib.msi (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\NotifyDown.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4100578\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QMOfficeScanX64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\QseCore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\HipsLogCenter.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\npaxlogin.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\KwLayoutMgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcr110.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB8C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetDiagDll.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\iNetSafe64.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp90.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\XLGameUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcr80.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp110.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libzdtp64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\np360SoftMgr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\probe.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\Netgm.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Ntvbld64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4943.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\madDisAsm_.bpl	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetDefender.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI49D2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\NetmLogin.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\fixsc64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\qutmload.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\ieplus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\libzdtp64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\filemgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\lockkrnl.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\DrawContent\DrawContentNoname.exe	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI559E.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4100609\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetSpeed.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1A96.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HipsLogCenter.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\KwLogSvr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI54EF.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libzdtp.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\ntvbld.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ieplus.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiD598.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3D33.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\heavygate.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\lco.exe	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\np360SoftMgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\NetmTray.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiE18F.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\vmauthd.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LeakFixHelper64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4982.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi4857.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ieplus64.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI554F.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcr120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Gme.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp140_2.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\zip.exe	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\ATellPhon	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\imhelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4099546\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\LeakFixHelper64.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\mobileflux.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\NetDefender.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI609F.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\RX.EXE	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\APXmodule-2.0.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\qutmipc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\fixsc.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp110.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\GmeApi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LiveUpd360.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\qroscfg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\pluginmgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Agent	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIBCC.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\ebHost.exe	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140_2.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\rar.exe	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI48E4.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID4B7.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NotifyDown.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\vclx120.bpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC7A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ImAVEng.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4100671\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\jpnative64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\fixsc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\libzdtp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\LiveUpd360.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp80.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\iNetSafe64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\PDown.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\QseCore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB1E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\NetDiagDll.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.Bcl.AsyncInterfaces.exe	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMAVProxy.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\zlib1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiF13D.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4099515\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\ntvbld.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\NetSpeed.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\vcl120.bpl	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\pp_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\WHelp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiE1FD.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMEventBus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmTray64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\netmstart.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\PopSoftEng.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\netmstart.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\madBasic_.bpl	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QMRtpDLL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Hamster.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\MiniUI.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMDns.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\jpnative32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmonEP.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi64.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\KwCommonUI.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\hipslog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1A66.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID497.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\Gme.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qutmload.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\oDayProtect.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QMDns.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\INA4807.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmLogin.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QQFileFlt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libcurrant.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\iNetSafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\bfcipc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC5A.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp140.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\MemDefrag.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\Hamster.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\intl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\fixsc64.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\bpchelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\Ntvbld64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\leakrepair.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HotfixCommon.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp100.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4099609\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Watson2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\NetmTray64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\11561\....\Microsoft.TransCompositia.msi (copy)	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\madExcept_.bpl	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libscent35.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiD529.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QMOfficeScan.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Netgm.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\hipslog.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI563C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI606F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\PDown.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ipcservice.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\PackageMgr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\pluginmgr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\jpnative64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\heavygate.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\imhelper.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\TPClnVM.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI551F.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcr120.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.VC90.CRT\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\lzmaextractor.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\iopdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\APXhttp.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\rtl120.bpl	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libgravity.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\leakrepair.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\ieplus64.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\PackageMgr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\lockkrnl.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\oDayProtect.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\LeakFixHelper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HotfixCommon64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmTray.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\N0vaDesktop.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\ImAVEng.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Ntvbld64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qroscfg.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.VC90.MFC\mfc90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\ipcservice.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\http.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\PSpendZ.exe	Jump to dropped file
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qutmipc.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcr110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\libscent35.dll	Jump to dropped file
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\7z.dll	Jump to dropped file

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-88712

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	API coverage: 9.1 %
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	API coverage: 1.0 %

Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe

Code function: 18_2_008980EC

18_2_008980EC

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe TID: 7324	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe TID: 7580	Thread sleep time: -2764800000s >= -30000s
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe TID: 7592	Thread sleep time: -1439000s >= -30000s
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe TID: 7600	Thread sleep time: -408000s >= -30000s
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe TID: 7596	Thread sleep time: -990000s >= -30000s
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe TID: 7588	Thread sleep time: -1931000s >= -30000s

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00BEE4E0 FindFirstFileW,GetLastError,FindClose,	0_2_00BEE4E0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AD4AD0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,	0_2_00AD4AD0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C19F30 FindFirstFileW,FindClose,CloseHandle,CloseHandle,	0_2_00C19F30
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C140C0 FindFirstFileW,FindClose,	0_2_00C140C0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00BD0370 FindFirstFileW,FindNextFileW,FindClose,	0_2_00BD0370
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C24620 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00C24620
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00C24AA0 FindFirstFileW,FindClose,	0_2_00C24AA0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00BFCDF0 FindFirstFileW,FindClose,FindClose,	0_2_00BFCDF0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00BEDBB0 FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00BEDBB0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C604E20 FindFirstFileW,FindClose,GetLastError,FindClose,	0_2_6C604E20
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C5FF260 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,	0_2_6C5FF260
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00BEE4E0 FindFirstFileW,GetLastError,FindClose,	3_2_00BEE4E0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00BEDA30 FindFirstFileW,FindFirstFileW,FindClose,FindClose,	3_2_00BEDA30
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00C78BA4 __EH_prolog3_GS,FindFirstFileA,FindFirstFileW,FindFirstFileW,	9_2_00C78BA4
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CDD9C1 FindFirstFileExW,	9_2_00CDD9C1
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CDD996 FindFirstFileExA,	9_2_00CDD996
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_0085657C GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	18_2_0085657C
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00858E6C FindFirstFileA,FindClose,	18_2_00858E6C
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00858E6A FindFirstFileA,FindClose,	18_2_00858E6A
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A52298 FindFirstFileA,SetFileAttributesA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,	18_2_00A52298
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_0098A698 FindFirstFileA,FindClose,	18_2_0098A698
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_0098A696 FindFirstFileA,FindClose,	18_2_0098A696
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_0098A7A8 FindFirstFileA,FindClose,	18_2_0098A7A8
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_009D27D0 FindFirstFileA,FindClose,FileTimeToDosDateTime,	18_2_009D27D0
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_0098AAB4 FindFirstFileA,GetLastError,	18_2_0098AAB4
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00986B80 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	18_2_00986B80
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: 18_2_00A4EDA0 FindFirstFileA,SetFileAttributesA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,	18_2_00A4EDA0

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00C23270 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

0_2_00C23270

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00CB95F3 VirtualQuery,GetSystemInfo,

0_2_00CB95F3

Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Thread delayed: delay time: 86400000
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Thread delayed: delay time: 30000

Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CompanyNameVMware, Inc.b
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <description>"VMware Authorization Service"</description>
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-vmx.exe%s%c..%c%svmware-vmx-debug.exevmware-vmx-stats.exeNo ticket found
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: StartVirtualMachines%s: Failed to retrieve info from %%ALLUSERSPROFILE%%%s.
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareAutostartServiceVMAutostartRunServiceStarting service control dispatcher
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[vmwarestring.dll??0string@utf@@QAE@ABV01@@Z??0string@utf@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z??0string@utf@@QAE@ABV_bstr_t@@@Z??0string@utf@@QAE@ABVubstr_t@@@Z??0string@utf@@QAE@ABVustring@Glib@@@Z??0string@utf@@QAE@PBD@Z??0string@utf@@QAE@PBDW4StringEncoding@@@Z??0string@utf@@QAE@PB_W@Z??0string@utf@@QAE@XZ??1string@utf@@QAE@XZ??4string@utf@@QAEAAV01@V01@@Z??8string@utf@@QBE_NABV01@@Z??9string@utf@@QBE_NABV01@@Z??Astring@utf@@QBEII@Z??Bstring@utf@@QBE?BVubstr_t@@XZ??Bstring@utf@@QBEABVustring@Glib@@XZ??Hstring@utf@@QBE?AV01@ABV01@@Z??Hstring@utf@@QBE?AV01@I@Z??Mstring@utf@@QBE_NABV01@@Z??Nstring@utf@@QBE_NABV01@@Z??Ostring@utf@@QBE_NABV01@@Z??Pstring@utf@@QBE_NABV01@@Z??Ystring@utf@@QAEAAV01@ABV01@@Z??Ystring@utf@@QAEAAV01@I@Z?CopyAndFree@utf@@YA?AVstring@1@PADP6AXPAX@Z@Z?CreateWithBOMBuffer@utf@@YA?AVstring@1@PBXH@Z?CreateWithLength@utf@@YA?AVstring@1@PBXHW4StringEncoding@@@Z?CreateWritableBuffer@utf@@YAXABVstring@1@AAV?$vector@DV?$allocator@D@std@@@std@@@Z?CreateWritableBuffer@utf@@YAXABVstring@1@AAV?$vector@_WV?$allocator@_W@std@@@std@@@Z?GetUtf16Cache@string@utf@@ABEPB_WXZ?IntToStr@utf@@YA?AVstring@1@_J@Z?InvalidateCache@string@utf@@AAEXXZ?Validate@utf@@YA_NABVustring@Glib@@@Z?__autoclassinit2@string@utf@@QAEXI@Z?append@string@utf@@QAEAAV12@ABV12@@Z?append@string@utf@@QAEAAV12@ABV12@II@Z?append@string@utf@@QAEAAV12@PBDI@Z?assign@string@utf@@QAEAAV12@ABV12@@Z?begin@string@utf@@QAE?AV?$ustring_Iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@XZ?begin@string@utf@@QBE?AV?$ustring_Iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@XZ?bytes@string@utf@@QBEIXZ?c_str@string@utf@@QBEPBDXZ?clear@string@utf@@QAEXXZ?compare@string@utf@@QBEHABV12@_N@Z?compare@string@utf@@QBEHIIABV12@@Z?compareLength@string@utf@@QBEHABV12@I_N@Z?compareRange@string@utf@@QBEHIIABV12@II_N@Z?empty@string@utf@@QBE_NXZ?end@string@utf@@QAE?AV?$ustring_Iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@XZ?end@string@utf@@QBE?AV?$ustring_Iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@XZ?endsWith@string@utf@@QBE_NABV12@_N@Z?erase@string@utf@@QAE?AV?$ustring_Iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@V34@0@Z?erase@string@utf@@QAE?AV?$ustring_Iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@V34@@Z?erase@string@utf@@QAEAAV12@II@Z?find@string@utf@@QBEIABV12@I@Z?find@string@utf@@QBEIII@Z?find_first_not_of@string@utf@@QBEIABV12@I@Z?find_first_not_of@string@utf@@QBEIII@Z?find_first_of@string@utf@@QBEIABV12@I@Z?find_first_of@string@utf@@QBEIII@Z?find_last_not_of@string@utf@@QBEIABV12@I@Z?find_last_not_of@string@utf@@QBEIII@Z?find_last_of@string@utf@@QBEIABV12@I@Z?find_last_of@string@utf@@QBEIII@Z?foldCase@string@utf@@QBE?AV12@XZ?insert@string@utf@@QAEAAV
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: name="VMware.VMware.vmauthd"
Source: e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PANIC: %s599 vmware-authd PANIC: %s
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.1981862080.0000000000877000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VGXVGX/HoursBrokerVGX/Horker/DrawContentVGX/Microsoft.VC90.CRTVGX/Microsoft.VC90.MFCVGX/OptimizatVGX/Optimizat/pluginsVGX/Optimizat/themesVGX/pluginsVGX/plugins/RunoVGX/UtilsVGX/versionVGX/BoukenVGX/BoukenPVGX/Browser_2VGX/AgentVGX/APKwait.batVGX/ATellPhonVGX/bbnn.rbgVGX/Blend.visualelementsmanifest.xl/Browser_1VGX/BseziofVGX/cbg.sigVGX/cdm.sigVGX/chrome_200_percent.pakVGX/contribscr.iniVGX/cor.sigVGX/DataTransform.iniVGX/dmEetfzcFeMLeUVHoursBroker/CIM_ResourceAllocationSettingData.xsdVGX/HoursBroker/CIM_VirtualSystemSettingData.xsdVGX/HoursBroker/common.xsdVGX/HoursBroker/hi.pk/HoursBroker/hr.pakVGX/HoursBroker/hu.pakVGX/HoursBroker/li.datVGX/HoursBroker/LICENSE.3rdVGX/HoursBroker/LICENSE.libcodecsVGX/HoursBroker/LIElibdtVGX/HoursBroker/livehis.datVGX/HoursBroker/Microsoft.VC80.ATL.manifestVGX/HoursBroker/Microsoft.VC80.CRT.manifestVGX/HoursBroker/package.sGX/HoursBroker/rpi.datVGX/HoursBroker/slist.datVGX/HoursBroker/versionVGX/HoursBroker/xml.xsdVGX/intchar32VGX/intchar64VGX/LastnamaVGX/LastaGX/LastnymcVGX/libtemp.batVGX/LostVGX/LostHeVGX/LostPVGX/LostPHeVGX/LostPSheVGX/LostSheVGX/madBasic_.bplVGX/madDisAsm_.bplVGX/madExcept_bGX/Microsoft.VC80.ATL.manifestVGX/Microsoft.VC80.CRT.manifestVGX/Microsoft.VC90.CRT/Microsoft.VC90.CRT.manifestVGX/Microsoft.VC90.MFC/MicrosoftVMFC.manifestVGX/Microsoft_VC90_CRT_manifestVGX/NetSpeedLogVGX/NULL.binVGX/NVIDIA_GeForce_Experience_jsonVGX/Optimizat/plugins/am.pakVGX/Optiiplugins/ar.pakVGX/Optimizat/plugins/bg.pakVGX/Optimizat/plugins/Microsoft.VC80.ATL.manifestVGX/Optimizat/plugins/Microsoft.VC80.CRT.manifestVG/mizat/plugins/vd.icoVGX/Optimizat/plugins/versionVGX/Optimizat/themes/ca.pakVGX/Optimizat/themes/cs.pakVGX/Optimizat/themes/da.pakVGX/Optimiztmes/isolinux.binVGX/Optimizat/themes/ovf-vmware.xsdVGX/Optimizat/themes/ovfenv-vmware.xsdVGX/Optimizat/themes/sample.flpVGX/Optimizat/vmPerfmo.X/plugins/de.pakVGX/plugins/el.pakVGX/plugins/en-GB.pakVGX/plugins/en-US.pakVGX/plugins/Microsoft.VC80.ATL.manifestVGX/plugins/Microsoft.VC80CanifestVGX/plugins/RunHours/es-419.pakVGX/plugins/RunHours/es.pakVGX/plugins/RunHours/et.pakVGX/plugins/RunHours/fa.pakVGX/plugins/versionVG/ty.plxVGX/Ptuityoosty.plxVGX/qvlnk.broVGX/rbVGX/rtl120.bplVGX/settingssVGX/settingss2VGX/somextrainfo.iniVGX/SresoBooster.uiVGX/station.bn/SysP1.batVGX/SysP2.batVGX/Theme.icoVGX/TP.iniVGX/vcl120.bplVGX/vclx120.bplVGX/version/AARV1VGX/version/AARV2VGX/version/AuLibV1VGX/versinibV2VGX/version/CharMainoV1VGX/version/CharMainoV2VGX/version/CjLibV1VGX/version/CjLibV2VGX/version/ComeOnVGX/version/globalV1VGX/version/go2VGX/version/QdLibV1VGX/version/QdLibV2VGX/version/qvlnkbroV1VGX/version/qvlnkbroV2
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb!!
Source: e-SPT Masa PPh.exe, e-SPT Masa PPh.exe, 00000000.00000003.2054132025.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1678426595.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1682499855.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2047565421.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1679612341.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000002.2055434001.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2047565421.00000000055C7000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1679527605.00000000055C9000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2053105961.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2054132025.00000000055C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: e-SPT Masa PPh.exe, 00000000.00000002.2055434001.00000000055BD000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2053105961.00000000055BD000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2054132025.00000000055BD000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1679550206.0000000005596000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1682499855.00000000055AE000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2047565421.00000000055BC000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1679612341.00000000055BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpI]
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.1981862080.0000000000877000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VGX\plugins\RunHours\es-419.pak-vmware.xsdmizat\plugins\Microsoft.VC80.CRT.manifest..
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwarebase.DLL
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Unicode_TrimRightvmwarebase.DLL
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.1981862080.0000000000877000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VGXVGX/HoursBrokerVGX/HoursBroker/DrawContentVGX/Microsoft.VC90.CRTVGX/Microsoft.VC90.MFCVGX/OptimizatVGX/Optimizat/pluginsVGX/Optimizat/themesVGX/pluginsVGX/plugins/RunHoursVGX/UtilsVGX/versionVGX/BoukenVGX/BoukenPVGX/Browser_2VGX/AgentVGX/APKwait.batVGX/ATellPhonVGX/bbnn.rbgVGX/Blend.visualelementsmanifest.xmlVGX/Browser_1VGX/BseziofVGX/cbg.sigVGX/cdm.sigVGX/chrome_200_percent.pakVGX/contribscr.iniVGX/cor.sigVGX/DataTransform.iniVGX/dmEetfzcFeMLeUVbVGX/HoursBroker/CIM_ResourceAllocationSettingData.xsdVGX/HoursBroker/CIM_VirtualSystemSettingData.xsdVGX/HoursBroker/common.xsdVGX/HoursBroker/hi.pakVGX/HoursBroker/hr.pakVGX/HoursBroker/hu.pakVGX/HoursBroker/li.datVGX/HoursBroker/LICENSE.3rdVGX/HoursBroker/LICENSE.libcodecsVGX/HoursBroker/LICENSE.libdtVGX/HoursBroker/livehis.datVGX/HoursBroker/Microsoft.VC80.ATL.manifestVGX/HoursBroker/Microsoft.VC80.CRT.manifestVGX/HoursBroker/package.jsonVGX/HoursBroker/rpi.datVGX/HoursBroker/slist.datVGX/HoursBroker/versionVGX/HoursBroker/xml.xsdVGX/intchar32VGX/intchar64VGX/LastnamaVGX/LastnameVGX/LastnymcVGX/libtemp.batVGX/LostVGX/LostHeVGX/LostPVGX/LostPHeVGX/LostPSheVGX/LostSheVGX/madBasic_.bplVGX/madDisAsm_.bplVGX/madExcept_.bplVGX/Microsoft.VC80.ATL.manifestVGX/Microsoft.VC80.CRT.manifestVGX/Microsoft.VC90.CRT/Microsoft.VC90.CRT.manifestVGX/Microsoft.VC90.MFC/Microsoft.VC90.MFC.manifestVGX/Microsoft_VC90_CRT_manifestVGX/NetSpeedLogVGX/NULL.binVGX/NVIDIA_GeForce_Experience_jsonVGX/Optimizat/plugins/am.pakVGX/Optimizat/plugins/ar.pakVGX/Optimizat/plugins/bg.pakVGX/Optimizat/plugins/Microsoft.VC80.ATL.manifestVGX/Optimizat/plugins/Microsoft.VC80.CRT.manifestVGX/Optimizat/plugins/vd.icoVGX/Optimizat/plugins/versionVGX/Optimizat/themes/ca.pakVGX/Optimizat/themes/cs.pakVGX/Optimizat/themes/da.pakVGX/Optimizat/themes/isolinux.binVGX/Optimizat/themes/ovf-vmware.xsdVGX/Optimizat/themes/ovfenv-vmware.xsdVGX/Optimizat/themes/sample.flpVGX/Optimizat/vmPerfmon.hVGX/plugins/de.pakVGX/plugins/el.pakVGX/plugins/en-GB.pakVGX/plugins/en-US.pakVGX/plugins/Microsoft.VC80.ATL.manifestVGX/plugins/Microsoft.VC80.CRT.manifestVGX/plugins/RunHours/es-419.pakVGX/plugins/RunHours/es.pakVGX/plugins/RunHours/et.pakVGX/plugins/RunHours/fa.pakVGX/plugins/versionVGX/Ptuity.plxVGX/Ptuityoosty.plxVGX/qvlnk.broVGX/rbVGX/rtl120.bplVGX/settingssVGX/settingss2VGX/somextrainfo.iniVGX/SresoBooster.uiVGX/station.binVGX/SysP1.batVGX/SysP2.batVGX/Theme.icoVGX/TP.iniVGX/vcl120.bplVGX/vclx120.bplVGX/version/AARV1VGX/version/AARV2VGX/version/AuLibV1VGX/version/AuLibV2VGX/version/CharMainoV1VGX/version/CharMainoV2VGX/version/CjLibV1VGX/version/CjLibV2VGX/version/ComeOnVGX/version/globalV1VGX/version/globalV2VGX/version/QdLibV1VGX/version/QdLibV2VGX/version/qvlnkbroV1VGX/version/qvlnkbroV2VGX/version/settingV1VGX/version/settingV2VGX/version/ShellVGX/version/TOFNCVGX/version/WinCallVGX/VNL.iniVGX/WBGvisualelementsmanifestVGX/WGLogin.olgVGX/Win.rbgVGX/7z.dllVGX/APXhttp.dllVGX/APXmodule-2.0.dllVGX/BBC.exeVGX/bfcipc.dllVGX/bpchelper.dllVGX/ebHost.exeVGX/EduW
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 17.5.0 build-22583795VMware Workstation%s Authentication Daemon Version %u.%u for %s %s
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Invalid pathname (too long)Config file not found: %sVMware Server ConsoleYou need read access in order to connect with the %s. Access denied for config file: %sYou need execute access in order to connect with the %s. Access denied for config file: %s%s-fdConnect %sError connecting to %s service instance.Can't create mutex '%s' (%d)Timeout acquiring thread lock.-fdvmauthd.connectionSetupTimeoutCould not open %s process %d. (error %d)Error connecting to vmx process.No such %s process: %s
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Authorization Service
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: name="VMware.VMware.vmwarestring"
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: HttpURI_ParseAndDecodeURLvmwarebase.DLL
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: FileDescriptionVMware BasicHTTP DLLL
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Server Console
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-autostart.log
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Authorization and authentication service for starting and accessing virtual machinesVMware Authorization ServiceVMAuthdServiceSuccessfully registered %s.
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: FileDescriptionVMware event log sourceL
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMWARE_BASICHTTP_TRACE
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Workstation
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 599 vmware-authd PANIC: %s
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevmware-authd.exeF
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: : SSL RequiredNFCSSL supported/tServerDaemonProtocol:SOAPVMware%s Authentication Daemon Version %u.%u%s, %s, %s, %s, %s, %s%sError retrieving thumbprintInvalid arguments to '%s%s'Login failed: token key authentication not allowed.GET TOKEN KEY failed: got %s
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-hostd
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMWARE_HTTPSPROXYBasicHTTP: AppendRequestHeader failed to append to the request header. Insufficient memory.
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: FileDescriptionVMware string libraryL
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000002.2008092236.000000000087E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \es-419.pak-vmware.xsdmi@
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevmwarestring.DLLF
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <description>"VMware string library"</description>
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwarestring.dll
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: nfcnfcsslvmware-hostdPROXY service %s not found.USER too long.Password required for %s.Login with USER first.InSeCuRePassword not understood.User %s logged in.LOGIN FAILURE from %.128s, %s
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: StartVirtualMachines
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ProductNameVMware WorkstationP
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \VMware\VMware Workstation\vmAutoStart.xml
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 1998-2023 VMware, Inc.J
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMWARE_BASICHTTP_TRACE0bora\apps\lib\basicHttp\http.cBasicHTTP: curl_multi_init failed.
Source: Bor32-update-flase.exe, 00000012.00000002.2088417454.000000000076C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb..
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: FileDescriptionVMware Authorization ServiceL
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 1998-2022 VMware, Inc.J
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 1998-2022 VMware, Inc.D
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-vmx-debug.exe
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMWARE_HTTPSPROXY
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-vmx-stats.exe
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: File_CreateDirectoryvmwarebase.DLL)_strdup
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: User not authorized for vpx agent contactvmware-vpxaUser not authorized for vmx contactConnecting socket=%s
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: security.host.ruisslvmwareauthd.policy.allowRCForReadvmauthd.startupTimeoutgetpeername failed: %d tid %d
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb--
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: InternalNamevmwarestringj#
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000002.2008125246.0000000000944000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VGX\Optimizat\themes\ovfenv-vmware.xsd
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \\.\pipe\vmware-authdpipeCreateNamedPipe failed: %s (%d)
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: @vmware-autostartVMAutostart_InitGetVMAutostartConfigFilePathCould not get the ALLUSERSPROFILE folder path
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CompanyNameVMware, Inc.R
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <description>"VMware event log source"</description>
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CompanyNameVMware, Inc.T
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware-client
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-vmx.exe
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 1998-2022 VMware, Inc.@
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CompanyNameVMware, Inc.X
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Autostart ServiceCreateService failed (%d)
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: name="VMware.VMware.basichttp"
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: name="VMware.VMware.vmauthd-log"
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-\vmware-autostart.loga+Cannot open file '%s'
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-autostart
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <description>"VMware BasicHTTP DLL"</description>
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-vpxa

Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00CC1723 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CC1723

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00C277A0 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,OutputDebugStringW,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,

0_2_00C277A0

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

0_2_00C04A60

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00CBC11D mov esi, dword ptr fs:[00000030h]	0_2_00CBC11D
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00CD66BA mov eax, dword ptr fs:[00000030h]	0_2_00CD66BA
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00CD6676 mov eax, dword ptr fs:[00000030h]	0_2_00CD6676
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00CC7D84 mov ecx, dword ptr fs:[00000030h]	0_2_00CC7D84
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C61BA5B mov ecx, dword ptr fs:[00000030h]	0_2_6C61BA5B
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C623ABD mov eax, dword ptr fs:[00000030h]	0_2_6C623ABD
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00CBC11D mov esi, dword ptr fs:[00000030h]	3_2_00CBC11D
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00CD66BA mov eax, dword ptr fs:[00000030h]	3_2_00CD66BA
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00CD6676 mov eax, dword ptr fs:[00000030h]	3_2_00CD6676
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00CC7D84 mov ecx, dword ptr fs:[00000030h]	3_2_00CC7D84
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Code function: 8_2_00D660A8 mov eax, dword ptr fs:[00000030h]	8_2_00D660A8
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Code function: 8_2_00D68164 mov eax, dword ptr fs:[00000030h]	8_2_00D68164
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CC1819 mov eax, dword ptr fs:[00000030h]	9_2_00CC1819
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CC18A7 mov eax, dword ptr fs:[00000030h]	9_2_00CC18A7

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00CBC189 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_00CBC189

Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AF22F0 __set_se_translator,SetUnhandledExceptionFilter,	0_2_00AF22F0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00CBCC0E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00CBCC0E
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00AF4F40 __set_se_translator,SetUnhandledExceptionFilter,	0_2_00AF4F40
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_00CC1723 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CC1723
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C60EDA5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C60EDA5
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C60DF73 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6C60DF73
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 0_2_6C612FB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C612FB3
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AF22F0 __set_se_translator,SetUnhandledExceptionFilter,	3_2_00AF22F0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00CC1723 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00CC1723
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00CBCC0E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00CBCC0E
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: 3_2_00AF4F40 __set_se_translator,SetUnhandledExceptionFilter,	3_2_00AF4F40
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Code function: 8_2_00D65453 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00D65453
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Code function: 8_2_00D62920 SetUnhandledExceptionFilter,	8_2_00D62920
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Code function: 8_2_00D61EEE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00D61EEE
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Code function: 8_2_00D6278E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00D6278E
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Code function: 8_2_6C202522 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_6C202522
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Code function: 8_2_6C202644 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6C202644
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CB460E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00CB460E
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CB47A4 SetUnhandledExceptionFilter,	9_2_00CB47A4
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CD8B72 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00CD8B72
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00CB3395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00CB3395

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00BD3300 CreateFileW,CloseHandle,WriteFile,CloseHandle,ShellExecuteExW,

0_2_00BD3300

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Process created: C:\Users\user\Desktop\e-SPT Masa PPh.exe "C:\Users\user\Desktop\e-SPT Masa PPh.exe" /i "C:\Program Files (x86)\WindowsInstallerIC\7AF5081\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\IkCWSTWLLRQX" SECONDSEQUENCE="1" CLIENTPROCESSID="7304" AI_MORE_CMD_LINE=1	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\LJBPHRBSRLCI.FNG" -o"C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32" -pIWLHTVJXHINUWUFBWIU -aos -y	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\KKVIOQVTEUTA.OKO" -o"C:\Program Files (x86)\IkCWSTWLLRQX" -pRFOLHRLVLKWUMQMLJJA -aos -y	Jump to behavior
Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe	Process created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\FNCUNPTNLBMW.DNA" -o"C:\Users\user\AppData\Roaming" -pAEXIKRSDXTBGHJSHHPK -aos -y	Jump to behavior

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_6C605EC0 LocalFree,LocalFree,GetSecurityDescriptorDacl,GetLastError,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,GetLastError,LocalFree,SetSecurityDescriptorDacl,FreeLibrary,

0_2_6C605EC0

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00BEA0A0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,

0_2_00BEA0A0

Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Fabout:blank:\kernel32.dll*winswinntwin2000win2000serverwinxpwin2003winvistawin2008win7win2008r2win8win2012win11win10GetNativeSystemInfoProgmanSHELLDLL_DefViewWorkerWSysListView32ToolbarWindow32NotifyIconOverflowWindowBUTTON;Versionopen=%s\%sgetNetBarConfig szMainkey:%s szKey:%s szValue:%s getNetBarConfig error szMainkey:%s szKey:%s
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ]wQCFFTaskBarDlg{"fftaskbar":{"%s":1,"color":%d,"percent":%d,"align":%d,"applyType":%d}}-%s %d %d %d %dSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeGameDev.exeSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeGame.exeInstallPath%s\wegame.exeExeFileGetCommandLineWkernelBase.dllGetCmdLinentdllProgram ManagerNVIDIA GeForce OverlayDeskWindowkdeskOSRWindowCcWaterMarkWindowATL:00D719E0TXGuiFoundationFound FullScreen Windows: strWindowName=%s strWndClassName=%s hwnd=0x%xSOFTWARE\Microsoft\Windows\CurrentVersion\RunFFWallpaper.exe -silentFFWallpaperSetAutoRun %d, result: %dFolderViewTXMiniSkinLhb
Source: Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: tiCBaseWallPaperPlayer::RemoveAllOldWindowsCBaseWallPaperPlayer: RemoveOldWindowsEx: BasePlayerWnd=0x%xCBaseWallPaperPlayer::RemoveWindows()~CDesktopAttributesCDesktopAttributes::ExitFetchThreadCDesktopAttributes::FetchDesktopInfoThreadNew thread New start @@@@CDesktopAttributes::FetchDesktopInfoThread New exitCDesktopAttributes::FetchDesktopInfoThread New not found Program ManagerCDesktopAttributes::FetchDesktopInfoThread New begin set worker end: #### no explorer.exeCDesktopAttributes::FetchDesktopInfoThread New Err: #### no Program Manager with explorerCDesktopAttributes::monitor explorer err quit bizhiWindows

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_6C60E56C cpuid

0_2_6C60E56C

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	0_2_00C1C310
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6C626C39
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: GetLocaleInfoW,	0_2_6C626D3F
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6C626E0E
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: EnumSystemLocalesW,	0_2_6C62681D
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_6C6268B0
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: EnumSystemLocalesW,	0_2_6C61FB3D
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: GetLocaleInfoW,	0_2_6C626B10
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: EnumSystemLocalesW,	0_2_6C626737
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: EnumSystemLocalesW,	0_2_6C626782
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: GetLocaleInfoW,	0_2_6C620006
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	0_2_6C5EB370
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Code function: GetLocaleInfoW,	3_2_00CD635A
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: GetLocaleInfoW,	9_2_00CDA219
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	9_2_00CE335A
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	9_2_00CE35D2
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	9_2_00CE36D6
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	9_2_00CE363B
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	9_2_00CD97C9
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_00CE3763
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	9_2_00CD98ED
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: GetLocaleInfoW,	9_2_00CE39B3
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	9_2_00CD9931
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_00CE3ADC
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: GetLocaleInfoW,	9_2_00CE3BE3
Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_00CE3CB0
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	18_2_00856740
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: GetLocaleInfoA,	18_2_0085C6A8
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: GetLocaleInfoA,	18_2_0085C6F4
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	18_2_0085684C
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: GetLocaleInfoA,	18_2_0098E194
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: GetLocaleInfoA,	18_2_0098E1E0
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	18_2_00986D44
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	18_2_00986E50
Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	18_2_00A96054

Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\three_colors.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\blue.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\three_colors.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\blue.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\blue.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\three_colors.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\blue.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\three_colors.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\three_colors.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\blue.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\whitesmall.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\whitesmall.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\whitesmall.jpg VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00C34930 CreateNamedPipeW,CreateFileW,

0_2_00C34930

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00C276B0 GetLocalTime,

0_2_00C276B0

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00C332B0 GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegDeleteValueW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegDeleteValueW,RegCloseKey,

0_2_00C332B0

Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe

Code function: 18_2_009A72D0 GetTimeZoneInformation,

18_2_009A72D0

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Code function: 0_2_00AB7AA0 GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,

0_2_00AB7AA0

Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	31 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 Create Account	1 DLL Side-Loading	2 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Windows Service	1 Access Token Manipulation	1 Timestomp	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	31 Input Capture	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Windows Service	1 DLL Side-Loading	NTDS	4 File and Directory Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	13 Process Injection	1 File Deletion	LSA Secrets	47 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	32 Masquerading	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	241 Virtualization/Sandbox Evasion	DCSync	381 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	13 Process Injection	/etc/passwd and /etc/shadow	241 Virtualization/Sandbox Evasion	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	11 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	Embedded Payloads	Keylogging	1 System Network Configuration Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\IkCWSTWLLRQX\7z.dll	0%	ReversingLabs
C:\Program Files (x86)\IkCWSTWLLRQX\Gme.dll	0%	ReversingLabs
C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi.dll	0%	ReversingLabs
C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi64.dll	0%	ReversingLabs
C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll	4%	ReversingLabs
C:\Program Files (x86)\IkCWSTWLLRQX\Hamster.dll	0%	ReversingLabs
C:\Program Files (x86)\IkCWSTWLLRQX\HipsLogCenter.dll	0%	ReversingLabs
C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon.dll	0%	ReversingLabs
C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon64.dll	0%	ReversingLabs
C:\Program Files (x86)\IkCWSTWLLRQX\ImAVEng.dll	3%	ReversingLabs
C:\Program Files (x86)\IkCWSTWLLRQX\LeakFixHelper.dll	0%	ReversingLabs
C:\Program Files (x86)\IkCWSTWLLRQX\LeakFixHelper64.dll	0%	ReversingLabs
C:\Program Files (x86)\IkCWSTWLLRQX\LiveUpd360.dll	0%	ReversingLabs
C:\Program Files (x86)\IkCWSTWLLRQX\MiniUI.dll	0%	ReversingLabs
C:\Program Files (x86)\IkCWSTWLLRQX\NetDefender.dll	0%	ReversingLabs
C:\Program Files (x86)\IkCWSTWLLRQX\NetDiagDll.dll	3%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://bizhi.hfnuola.com/pc/v/AfterLocalSet	0%	Avira URL Cloud	safe
http://www.kuwo.cn0	0%	Avira URL Cloud	safe
http://ocsp.digicert.c	0%	Avira URL Cloud	safe
http://updatestats.cd4o.com/api.php?act=update	0%	Avira URL Cloud	safe
https://www.hfnuola.com	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/v/FilterPayWallpaper	0%	Avira URL Cloud	safe
http://www.ludashi.com0	0%	Avira URL Cloud	safe
http://klog.kuwo.cn/music.ylhttp://install-log.kuwo.cn/music.ylhttp://log.kuwo.cn/music.ylrwSend	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/v/AfterLocalSethttps://bizhi.hfnuola.com/pc/DesktopComponent/GetPopupLi	0%	Avira URL Cloud	safe
http://install-log.kuwo.cn/music.yl	0%	Avira URL Cloud	safe
http://www.winimage.com/zLibDll1.2.3	0%	Avira URL Cloud	safe
http://www.super-ec.cn	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/desktopSubject	0%	Avira URL Cloud	safe
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic	0%	Avira URL Cloud	safe
http://forums.iobit.com/showthread.php?t=16792	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/fhbzApi/checkFile	0%	Avira URL Cloud	safe
https://bizhiweb.hfnuola.com/web/advertising.html?type=	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/agg/StartUp	0%	Avira URL Cloud	safe
http://klog.kuwo.cn/music.yl	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaper	0%	Avira URL Cloud	safe
https://www.itrus.com.cn0	0%	Avira URL Cloud	safe
http://www.bsplayer.com	0%	Avira URL Cloud	safe
https://idea.hfnuola.com20012rgbautoStartauto_start_slienthideDesktopIconpauseVidoset_mute_on_fullsc	0%	Avira URL Cloud	safe
https://logs.hfnuola.com	0%	Avira URL Cloud	safe
https://www.hfnuola.com/select	0%	Avira URL Cloud	safe
https://bizhiweb.hfnuola.com/web/vip.htmlhttps://bizhiweb.hfnuola.com/web/payNew.html%s?channel=%s&p	0%	Avira URL Cloud	safe
http://stats.iotransfer.net/active.php	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/LockWallpaper/Gethttps://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaperht	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/agg/hour	0%	Avira URL Cloud	safe
https://idea.hfnuola.com	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/v/wallpaperInfoMulti	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iobit.com/appgoto.php?to=download	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	false		high
http://www.vmware.com/0	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/v/AfterLocalSet	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kuwo.cn0	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004088000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000043E4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/goto.php?id=plusgp01_DB	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/v/FilterPayWallpaper	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://updatestats.cd4o.com/api.php?act=update	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=activateweb-%d	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.digicert.c	e-SPT Masa PPh.exe, 00000000.00000003.2047271124.0000000008472000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000002.2056435084.000000000847F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hfnuola.com	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://stats.iobit.com/register.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.indyproject.org/	Bor32-update-flase.exe, 00000012.00000002.2089424089.0000000000ADD000.00000020.00000001.01000000.0000001D.sdmp	false		high
http://www.iobit.com/faq.php?product=db	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.ludashi.com0	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=vertoold	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ascstats.iobit.com/active.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://update.iobit.com/infofiles/db2/db2_oth.upt	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://klog.kuwo.cn/music.ylhttp://install-log.kuwo.cn/music.ylhttp://log.kuwo.cn/music.ylrwSend	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=feature	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://curl.haxx.se/V	e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2100190046.000000006B296000.00000008.00000001.01000000.00000020.sdmp	false		high
http://www.iobit.com/cloud/db/index.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://collect.installeranalytics.com	e-SPT Masa PPh.exe, e-SPT Masa PPh.exe, 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009C4B000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=bannerbuy	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=index	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/v/AfterLocalSethttps://bizhi.hfnuola.com/pc/DesktopComponent/GetPopupLi	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=lostcode	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=proupdate	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	false		high
http://ascstats.iobit.com/moreuse.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://idb.iobit.com/check.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://install-log.kuwo.cn/music.yl	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll1.2.3	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://s1.driverboosterscan.com/worker.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/goto.php?id=plusgp01_DBU	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=compare	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/hotquestions-db.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/driver-booster-pro.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=regovermax	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=usermanual	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.super-ec.cn	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micr	e-SPT Masa PPh.exe	false		high
http://stats.iobit.com/active_month.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic	e-SPT Masa PPh.exe, 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.1667015715.0000000009C4B000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/lostcode.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ascstats.iobit.com/other/db_temp_download.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.rfc-editor.org/rfc/bcp/bcp47.txt	e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://update.iobit.com/infofiles/db2/Freeware-db.upt	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://forums.iobit.com/showthread.php?t=16792	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=install	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.zlib.net/D	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004D61000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.0000000003621000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/desktopSubject	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.info-zip.org/	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004715969.00000000037D5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004CCD000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2004540253.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/agg/StartUp	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://twitter.com/iobitsoft	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/fhbzApi/checkFile	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bizhiweb.hfnuola.com/web/advertising.html?type=	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/goto.php?id=dbsurvey	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaper	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://klog.kuwo.cn/music.yl	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.itrus.com.cn0	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.360.cn	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.bsplayer.com	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://logs.hfnuola.com	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://idea.hfnuola.com20012rgbautoStartauto_start_slienthideDesktopIconpauseVidoset_mute_on_fullsc	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cd4o.com/drivers/	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=othupdate	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=feedback	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhiweb.hfnuola.com/web/vip.htmlhttps://bizhiweb.hfnuola.com/web/payNew.html%s?channel=%s&p	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://stats.iotransfer.net/active.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=helptranslate	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.hfnuola.com/select	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.sysinternals.com	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/agg/hour	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=forum	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/LockWallpaper/Gethttps://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaperht	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ascstats.iobit.com/usage.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002FCC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.1984404151.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/productfeedback.php?product=driver-booster	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
https://idea.hfnuola.com	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=filerupt	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003EE9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003E7D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004088000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000046C1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.00000000043E4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003D1B000.00000004.00001000.00020000.00000000.sdmp	false		high
http://update.iobit.com/infofiles/db2/db2_free.upt	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0B	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000004A9E000.00000004.00001000.00020000.00000000.sdmp	false		high
https://installeranalytics.com	e-SPT Masa PPh.exe	false		high
http://update.iobit.com/infofiles/db2/db2_pro.upt	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/v/wallpaperInfoMulti	Bor32-update-flase.exe, 00000012.00000002.2093700829.0000000002953000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=revokedkey	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://curl.haxx.se/docs/copyright.htmlDVarFileInfo$	e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2020731516.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2100190046.000000006B296000.00000008.00000001.01000000.00000020.sdmp	false		high
http://www.iobit.com/goto.php?id=likefb01_DB	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=activateweb	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2005842465.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.82.113.139	unknown	Seychelles		32708	ROOTNETWORKSUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585779
Start date and time:	2025-01-08 08:57:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	e-SPT Masa PPh.exe
Detection:	MAL
Classification:	mal84.rans.troj.spyw.evad.winEXE@23/437@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 60% Number of executed functions: 115 Number of non-executed functions: 134
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 20.109.210.53, 172.202.163.200, 13.107.253.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:57:58	API Interceptor	1x Sleep call for process: e-SPT Masa PPh.exe modified
02:58:37	API Interceptor	1x Sleep call for process: Bor32-update-flase.exe modified
02:58:39	API Interceptor	488213x Sleep call for process: Haloonoroff.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
154.82.113.139	Installer eSPT Masa PPh versi 2.0#U007e26022009.exe	Get hash	malicious	BlackMoon	Browse
154.82.113.139	Installer eSPT Masa PPh versi 2.0#U007e26022009.exe	Get hash	malicious	BlackMoon	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	0a0#U00a0.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	199.232.214.172
	I6la3suRdt.exe	Get hash	malicious	AsyncRAT	Browse	199.232.214.172
	c2.hta	Get hash	malicious	Remcos	Browse	199.232.210.172
	Sburkholder.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	U02LaPwnkd.exe	Get hash	malicious	ValleyRAT	Browse	199.232.210.172
	c2.hta	Get hash	malicious	Remcos	Browse	199.232.210.172
	FACTURAMAIL.html	Get hash	malicious	Unknown	Browse	199.232.214.172
	3e18bdf74f3caef770a7edcf748bdaf0e6a4a21664e69.exe	Get hash	malicious	AsyncRAT, GhostRat	Browse	199.232.214.172
	Kawpow new.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://coggle.it/diagram/Z3zkZPAQxQkDOgmo/t/-/1f6434bfba7d8aab898b2531849681e8b0d7342489acbbff6b172f8658a09526	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROOTNETWORKSUS	leBwnyHIgx.exe	Get hash	malicious	GhostRat	Browse	154.82.85.107
	6f0slJzOrF.exe	Get hash	malicious	GhostRat	Browse	154.82.85.79
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	156.236.225.1
	Installer eSPT Masa PPh versi 2.0#U007e26022009.exe	Get hash	malicious	BlackMoon	Browse	154.82.113.139
	Installer eSPT Masa PPh versi 2.0#U007e26022009.exe	Get hash	malicious	BlackMoon	Browse	154.82.113.139
	MicrosoftEdgeUpdateSetup.exe	Get hash	malicious	Unknown	Browse	154.82.68.34
	nshkarm5.elf	Get hash	malicious	Mirai	Browse	154.94.148.181
	x86.elf	Get hash	malicious	Unknown	Browse	154.82.151.143
	bot.x86.elf	Get hash	malicious	Mirai	Browse	38.145.246.125
	nsharm7.elf	Get hash	malicious	Mirai	Browse	156.236.225.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\IkCWSTWLLRQX\Gme.dll	Installer eSPT Masa PPh versi 2.0#U007e26022009.exe	Get hash	malicious	BlackMoon	Browse
C:\Program Files (x86)\IkCWSTWLLRQX\Gme.dll	Installer eSPT Masa PPh versi 2.0#U007e26022009.exe	Get hash	malicious	BlackMoon	Browse
C:\Program Files (x86)\IkCWSTWLLRQX\7z.dll	Installer eSPT Masa PPh versi 2.0#U007e26022009.exe	Get hash	malicious	BlackMoon	Browse
	Installer eSPT Masa PPh versi 2.0#U007e26022009.exe	Get hash	malicious	BlackMoon	Browse
	ZwmyzMxFKL.exe	Get hash	malicious	BlackMoon	Browse
	ZwmyzMxFKL.exe	Get hash	malicious	BlackMoon	Browse

Created / dropped Files

C:\Config.Msi\3df3be.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	94205
Entropy (8bit):	6.418288777592366
Encrypted:	false
SSDEEP:	1536:M/VvMFn9PKxEi12LEaWOxM9hYukoDe3RLKXUID/ERcpB31zxvSmSsW8JzY0cdyRw:T3WO0ioC3DID/ZxvpY1yRe5ObhXq
MD5:	BCF6FA683B580C06FE76121BF3426975
SHA1:	A19326FC43EA402547648E986753FA5E4BC8780F
SHA-256:	AC9348EB6BA3247197478F4B637D842CA0B8C1DF8E478494F1C5D5E8A1A23CC5
SHA-512:	B26F0087178C3AA9A7C2C475569C0E432C75E8EE5DEFB74F10E7F44729AB835963D95BAFE081E25C98B787636E101161E75DCCA521E1D1A4ED39D19DDEF5F92C
Malicious:	false
Preview:	...@IXOS.@.....@J.(Z.@.....@.....@.....@.....@.....@......&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}..Windows..DAN_127.msi.@.....@.....@.....@........&.{B27D822E-68C4-4CF6-961C-F62B0D119E2A}.....@.....@.....@.....@.......@.....@.....@.......@......Windows......Rollback..ck(W.V.n.d\O:.....RollbackCleanup..ck(W Rd..Y.N.e.N...e.N:. .[.1.].....ProcessComponents..ck(W.f.e.~.N.l.Qh...&.{0BDD925F-9555-4E0F-A320-9E414AC18B7C}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{FEAD2C16-C7B0-493E-B979-1B01A169ADEA}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{EC42FCB1-8AAF-4702-9E48-B83254BD3FB0}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{BDAF5FA3-1BA6-42D1-894D-41DA643F7A2B}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{25BC8264-C934-445D-B75A-54A198CB23F0}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{546DDB96-6B8B-4364-8020-B0224286327F}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{F6C9FDFB-FE64-4F40-A063-A4A1D40934C4}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{B8

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGXlong.sys

Download File

Process:	C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe
File Type:	data
Category:	dropped
Size (bytes):	27380
Entropy (8bit):	3.69059304024062
Encrypted:	false
SSDEEP:	384:q4UuyaIN3DY/vDa/kj7shXCbs2ywaVf9vH:WBaIm3Da/NhXCan
MD5:	A926028B91890FED4F6F59793FA46956
SHA1:	89DC891E34A3F1DF496799B71C9DCD02C2351C04
SHA-256:	D796CB830265B9C0A5BDA73EEA3226D3847213D1C10D535EAFE7FCC8DD3A808C
SHA-512:	0B3AF447F93B85763C82408E745275DAD364DCB6D5E33CF9A9CF3904023A7C136DB981BD07CA18064AF0A5F353B15D0A5AE0BDEAE6A7AA6158C94A9026F95FDE
Malicious:	true
Preview:	....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.2.0. . .3.:.2.:.3.9.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.2.1. . .3.:.3.:.3.8.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.2.2. . .3.:.4.:.8.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.2.3. . .3.:.4.:.3.8.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.2.4. . .3.:.4.:.3.9.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.2.5. . .3.:.5.:.9.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.2.6. . .3.:.6.:.8.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.2.8. . .3.:.6.:.3.8.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.2.9. . .3.:.7.:.8.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..

C:\Program Files (x86)\IkCWSTWLLRQX\7z.dll

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1390312
Entropy (8bit):	6.599443687044708
Encrypted:	false
SSDEEP:	24576:w4wwwwscgymwef8Z8Zzj6z1el68mUi1m/ONxdDDHNCU+3kvaBW7839l5Qafgb6L1:pwwwwscgymwefyEQ/U6/NnDDHNCTeaBf
MD5:	292575B19C7E7DB6F1DBC8E4D6FDFEDB
SHA1:	7DBCD6D0483ADB804ADE8B2D23748A3E69197A5B
SHA-256:	9036B502B65379D0FE2C3204D6954E2BB322427EDEEFAB85ECF8E98019CBC590
SHA-512:	D4AF90688D412BD497B8885E154EE428AF66119D62FAF73D90ADFFC3EEF086CF3A25B0380EC6FDC8A3D2F7C7048050EF57FCEA33229A615C5DCDA8B7022FA237
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Installer eSPT Masa PPh versi 2.0#U007e26022009.exe, Detection: malicious, Browse Filename: Installer eSPT Masa PPh versi 2.0#U007e26022009.exe, Detection: malicious, Browse Filename: ZwmyzMxFKL.exe, Detection: malicious, Browse Filename: ZwmyzMxFKL.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0...0...0...9a.=...9c.I...9b.(...b......b.. ...b..&...9...1...9...7...0........4................1....o.1.....1...Rich0...........PE..L....x.c...........!.........~......x7...............................................~....@.........................P...\|......P....p.................P,..........0...............................P...@............................................text............................... ..`.rdata..............................@..@.data...0........4..................@....rsrc.......p......................@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\FNCUNPTNLBMW.DNA

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	204
Entropy (8bit):	6.524007625247223
Encrypted:	false
SSDEEP:	6:uXphPJHpYvKNvarzc7Wqhd/2NZ4xJH6R5KMEL:GuvKNvKcUNgS5Y
MD5:	3E08DF5CDDD1F234418DB3C19F4C9700
SHA1:	67898ADFFD834CE604643B8835F0700D5A0FF4E8
SHA-256:	F8FC4386A90F2C819E9CA03C7821184AC0E65457A6CDCDACC4C0E7F10034D267
SHA-512:	E6580EA95E54B5F9A387E23B1425C950AEE3C59CEF02229A5CF5FD48F4F0665B2F2DE5C76465F7E54938EE47F1ACCD5F0353BACDA98042625061844811828C5F
Malicious:	false
Preview:	7z..'...d...p.......<.........G...k.L..f&*.Q....H.:\.w.......M..9.v.z.ld...\|.......i...lO4...VJ.\.v\|,...?K{Sp..X.3q6..rX_.8.s.^..%......oZ.....p......$.....S.\.>7..#r...B.>..#....].......n......v...

C:\Program Files (x86)\IkCWSTWLLRQX\Gme.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	400480
Entropy (8bit):	6.6249170967240625
Encrypted:	false
SSDEEP:	12288:ke/EYk6LSMAROeK3nzAPSayAj7+fyJHbVJMs/ubUQ3Q/p:MQ7DAvhpGs/8UQ3QB
MD5:	CC4F1CDFA6A90B6152B8012E8C035DFD
SHA1:	011098BADE1BD47557147B8CF3BAF4A070CB9D7C
SHA-256:	7B9FF465FA54E5EDF69F0794D7CAF7ADC6D7B20534E6DA0181DC93DC062E7CCA
SHA-512:	0084BADEBBAC672904BD7E19019C2D86B4745DEA26229CE82E48E0A5134DF3FA42B4948C673B17432BFE14F13A82B0BAFF3B5D861AA4AB3A951AF40793780CE1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Installer eSPT Masa PPh versi 2.0#U007e26022009.exe, Detection: malicious, Browse Filename: Installer eSPT Masa PPh versi 2.0#U007e26022009.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..N>.EN>.EN>.E.qXEM>.EGF[ET>.EGFJE.>.EGFME.>.Ei..E[>.EN>.E.>.EGFDEg>.EGF\EO>.EPlZEO>.EGF_EO>.ERichN>.E................PE..L.....rZ...........!.........*......?#.......................................P......j.....@..........................m.......^..........x................5......H3..0...................................@............................................text............................... ..`.rdata..d...........................@..@.data....q...p...6...Z..............@....rsrc...x...........................@..@.reloc..PM.......N..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	427104
Entropy (8bit):	6.602064716561835
Encrypted:	false
SSDEEP:	12288:d54WjgpIW+m/CbqwcAjoZOtjEipBiRuL9JK:avGPJbtjEY2uL7K
MD5:	50B836C0E21FD4EF3F6F6102F9162FEA
SHA1:	704834D4BE32AD186FD761E908CC0518AC2A8117
SHA-256:	8CFC18609E75074EB0FBF3C87C1B41E263DE503083A7EBBB00643E0F05A2920E
SHA-512:	B2C220F954A38B7EBC44FA60454CD8322A21714F1E3D593F32B7C4865113157965E1C8C0821F60F1865270FCB2529EBF8CDD32F1DE44A7626C0D0DB304C72644
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.p...#...#...#..T#...#..W#...#..F#Y..#..A#...#/V.#...#...#...#..H#:..#..P#...#..V#...#..S#...#Rich...#........................PE..L.....rZ...........!.........F.......c....... ............................................@.....................................x....@...............N...5...P..88..."...............................k..@............ ...............................text............................... ..`.rdata..r.... ......................@..@.data...Dm.......6..................@....rsrc........@......................@..@.reloc...Y...P...Z..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	572512
Entropy (8bit):	6.263529853370218
Encrypted:	false
SSDEEP:	12288:Azb0JSwmBU/no1rNW23dImf/D/cnlu41T3ork5d:AH0JSwmko1rNW23df/D/cnlhp3d5d
MD5:	984829AFB3ED76FABCAB8AE4BE1FF15C
SHA1:	2498F20AB62E3061FB144C7CEAE5CF254D6C7095
SHA-256:	F257E86E42D7546C37AEABDC7BF1D00BC09E7B26D9AF4478302FF2B872187C33
SHA-512:	5270AE482E8C462B5360DD60C06D8757BE5F7E513A0A7BF993F3F088A67516AAA0A744CDBD034828D3AAF5E6EADAF630317ACF325B03E028398C7EAC12A97B04
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........BG@.....pC.....pR.....pU.L...........f...p\.....pD.....ZB.....pG....Rich...................PE..d.....rZ.........." .....F...:......,T...............................................V....@.....................................................x............p..Tf.......5..........pe...............................................`..X............................text....E.......F.................. ..`.rdata..Tx...`...z...J..............@..@.data............@..................@....pdata..Tf...p...h..................@..@.rsrc................l..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	572312
Entropy (8bit):	6.6114481461607175
Encrypted:	false
SSDEEP:	6144:KmuYzDRB54CwW2U0lY4woeFuA0TpxVQ8Y3Ew+zBsPO3erF7q0zoCiJbDjdxzF5og:Ju+469PqNYsBsPTziDjLbCEGne9Z
MD5:	5CC95EA39AB6D7751A1A85F832CCA011
SHA1:	387B60FE4F257BA8A0F5DA566709640F972EAA3B
SHA-256:	4BF5DD0ED84D6C7B4965628A22668F733C167427B20A4B56AE356205381B527F
SHA-512:	6E28E6D3D1A6BF4FB046A7F03F68FE27F8A7151465412EA4126AD3DD2A9DC9C89238923E858C644892D72D318CF2112C4AE60DAE363CC5EC41DEF1663BFDD101
Malicious:	false
Yara Hits:	Rule: Mimikatz_Gen_Strings, Description: Detects Mimikatz by using some special strings, Source: C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll, Author: Florian Roth Rule: Mimikatz_Strings, Description: Detects Mimikatz strings, Source: C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll, Author: Florian Roth
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^.^.?g..?g..?g.=Nf..?g..ac..?g..ad..?g..Yb..?g..Vf..?g.=Nb..?g.<Nb..?g..G...?g..Ya..?g......?g.!ab..?g.!ac..?g.>ac..?g.>ab..?g..ab..?g..Yc..?g.....?g.....?g.H0:..?g..Yf..?g..?f.5=g.!an..?g.!ag..?g.!a...?g..?...?g.!ae..?g.Rich.?g.........................PE..L....Enc...........!.....,...\|...............@............................................@.........................`p.......q.......0...r...........r...I......dK......p...............................@............@...............................text....*.......,.................. ..`.rdata...T...@...V...0..............@..@.data...D_.......$..................@....gfids..............................@..@.tls................................@...PlugImm...... ......................@....rsrc....r...0...t..................@..@.reloc..dK.......L...$..............@..B................................................

C:\Program Files (x86)\IkCWSTWLLRQX\Hamster.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	249768
Entropy (8bit):	6.601810977306283
Encrypted:	false
SSDEEP:	3072:/0jvJ1SDHfvcFHDSU4/eebh4HT4dK62HPWA2F0T7z/LDdUjE2rRNq5N5EuXCRfC:/0jTSrMtceebhz32HPWnoBUw2/G5r
MD5:	2EA3ACA1D36D16F0699261F77EE6ECCE
SHA1:	31C6575F5EC4F48ED3939FD5484F4E3D5869D3DA
SHA-256:	12B2AAA9C7222B13E97A0870006CFC498134F7182009C49FAD0281A85D5CD386
SHA-512:	30057B3491807413603C5A4668D020A384548CE6F41BA9DE6C708C4BF052BE10113AE5AAF41697ACC2AB56E9674EE8DC4669584FA9F838A9359842038F82394E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.....U....9.U......U.*...U..T.'.U.....U.....U.....U.....U.Rich..U.........................PE..L..._wWX...........!................................................................,.....@..........................M..R....B..d.......l................5......8...`...............................@...@............................................text...o........................... ..`.rdata.."~..........................@..@.data....H...P...,...6..............@....rsrc...l............b..............@..@.reloc...,...........j..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\HipsLogCenter.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	555240
Entropy (8bit):	6.523642703236138
Encrypted:	false
SSDEEP:	12288:RzJibra10t6DBAAxFhNngOsLOsZDvnCjN8d6HVilI5hKRPnQ0FbgB4e:CbzipngOsLOsZL38IKb4PQ0Fbje
MD5:	4B481EA28EC7B065AD6C7FE7674AA363
SHA1:	152FC3DA4A1DF717623E4D57476A1D72ADD7F610
SHA-256:	92AA7045E70E2BBB706DCD1A1D9B41026CFA06FEDF0E48EE0CAE63B8B80084F5
SHA-512:	08F8388322D3623F8DBC23DB60E0542B972754FEAB4071C0FC7382F9EBD54313A8A10E5EBAC9D72E5F4909B23A2FCB4114B44BCF47F3090B029DDEA27CFF21B3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\O..=!..=!..=!..E...=!.Kr...=!..E...=!..o...=!..E..b=!..E...=!..= .<!..E..=!..E...=!..o...=!..E...=!.Rich.=!.........PE..L......d...........!.........V...........................................................@.............................w............................L..P,...`..4C..................................8v..@............................................text............................... ..`.rdata..............................@..@.data...\........j..................@....rsrc................@..............@..@.reloc...Z...`...\..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	180800
Entropy (8bit):	6.720835675786583
Encrypted:	false
SSDEEP:	3072:zQPGqss58Kg5dqBLQ8/90/qTQPOfb7+sH1buHv/c6R2Wmjgk4Kq2iSiTHa89B:zQPB4jqBLQ86qsPOf+8RuHXc6tmv4KqZ
MD5:	91D9E316BD0533C92BDE234131EC7AB4
SHA1:	86D1997382E3FE81AC27B88EFE33E1773D095518
SHA-256:	62BAAD0A128B580889091F015384410BD491F21BB101682557B034ACB28E00D9
SHA-512:	BDD41A900EB1299815CA24FD78EE5499F20C78C5E62CAF11934A5348836C557AB402DF1D75B4932AA6E322562C8CDEBB120FC74137ED9D693AE6719C44C5718F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................x...........!..L.!This program cannot be run in DOS mode....$.......N .'.A.t.A.t.A.t..zt.A.tX).u.A.tX).u.A.to'.u.A.t.(.u.A.t./.u.A.t.9(t.A.t.,.u.A.t.,.u.A.tK&.u.A.tK&.u.A.t.(.u.A.t.(.u.A.to'.u.A.to'.u.A.to'.u.A.t.A.t.@.tX).u.A.t.,.u.A.t.(.u.A.t.(.u.A.t.(.u.A.t.(Bt.A.t.At.A.t.(.u.A.tRich.A.t........................PE..L....@W^...........!................................................................i....@.........................p'......x(..x........................7..........@...p...............................@...............8...x#..`....................text............................... ..`.rdata..tD.......F..................@..@.data...h....@......."..............@....detourcX6...`...8.................@..@.detourd$............b..............@....rsrc................d..............@..@.reloc...............j..............@..B................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	219200
Entropy (8bit):	6.255426513524174
Encrypted:	false
SSDEEP:	3072:n7pWDP71+xRSkTt9XFD6RAtofSUAfohtDanx51K6flyT9S9:1WDP71+xR7h9XFBtofStomfK69e9S9
MD5:	C64D91E0734622D550F578CAC023FE9B
SHA1:	9B5F47305F02ED862BE6A8E6F6D48647F9311E84
SHA-256:	9AA97B67D074D85CAFB29A0A561DFAA2416A283FC8A228B6904D63D16C8C463B
SHA-512:	FD419DE7FBC7C0B9F33CD340E2DEF67849DF628799FC0507DFEB6F77DD8681232B81216D082155278EC7D158E99FB480EEAC884A8962F410321F91A89D500CBD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$........-...L.E.L.E.L.Er.^E.L.E.$.D.L.E.$.D.L.E..D.L.Et%.D.L.Ev".D.L.E.!.D.L.E.!.D.L.E.+.D.L.E.+.D.L.Ev%.D.L.Ev%.D.L.E..D.L.E..D.L.E..D.L.E.L.ERM.E.$.D.L.E&!.D.L.Ew%.D.L.Ew%.D.L.Ew%.D.L.Ew%fE.L.E.L.E.L.Ew%.D.L.ERich.L.E........PE..d....AW^.........." .........$...... .....................................................`.........................................0.......8...x....`............... ...7...p..T...PO..p....................O..(....'............... ......0}..`....................text...0........................... ..`.rdata...q... ...r..................@..@.data................x..............@....pdata..............................@..@.detourc.h.......j..................@..@.detourd@....P......................@....rsrc........`......................@..@.reloc..T....p......................@..B................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\ImAVEng.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175728
Entropy (8bit):	6.544553321577818
Encrypted:	false
SSDEEP:	3072:ix5UgqxBe84iqhlPyKc4pquYWWM1qOrlhPzc8ylmyK5WodzzDi:i4pgbzTYWRZHrc9lNQzq
MD5:	B8FDC03B9B84A62C5C541524DCA2E723
SHA1:	5643ADAE63CA199F9C44A35F3B30947A0F8B6D21
SHA-256:	1F6F3DADCC4C3096EEBFB5CE5DB979755ABA5CEB9DB18E6CA6238F05B45E5F4D
SHA-512:	A31708C251967D484F242BE658E92E94D87671294CD2C959276EC3B739D46F3FC7D1140CC8F78640DBD9970EC2176633E67DD079A3182ACDCE0FA8A7DE366637
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.G...G...G...N..U...N..=...N..~...`a~.F...`ah.L...G......N..R...N..F...Y...F...N..F...RichG...................PE..L...2..T...........!................q.....................................................@.........................@`..U...pT..x...................................p................................>..@............................................text............................... ..`.rdata...`.......b..................@..@.data...@7...p.......N..............@....rsrc................h..............@..@.reloc...'.......(...n..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\KKVIOQVTEUTA.OKO

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	4838529
Entropy (8bit):	7.999964247779076
Encrypted:	true
SSDEEP:	98304:dyuKv/wWIsvrPq9Bj51aCo01eQI3rWHVNZCbNbXew9xJePD84rzt0V:dy9v/wWIsTujqEeKVN0bNzewTkPpz2V
MD5:	11C3B2492D2EFE15F6E49E06BBF6F771
SHA1:	3079536DAD9E3C6992DA6E5DC31CEA4691310125
SHA-256:	3B3D05AED876749A75D82D382314A20434D427BD44EE56DDB0C852C648A44040
SHA-512:	A79BAD2BBAFA2A096FB5CE90605FDFD6ABE55E004932AEAE588D67E0805724D88A40CF04CAC28FD4636F0CF19BDDBD3B1954B6CD9984D03EFED06D673B48C8A8
Malicious:	false
Preview:	7z..'...$.7 .I.....A.......50.QA..j..@..3.3gl.b."..&......28>R.$..Y..j..OBR`..S..3.UqQ..2J.r.'Y...;g........hn. ..S.W..c.,.gBJ&8`r.1s$...j.{...>.3.:...^...c..cW..r,:.....}...V...5t.,..Q.k......C"..:...... .5..U..}.b.v...9....{}W]....n.....U.8z...A.8....(..r.......&..zY..W...'n.Vh..V.-..W..K..S..$]y.I%.X....It........V.?!.....]..9.O...5.B.zF ..{ .B[...c..$..0C......OE.. .<>.Ht..d....F<.T.Zc....Q...).;..hX..F.....Z...8..."...Om4.X.H>...X.].h.N.9...HY.lv...fH..i.%C.V4.s.....2..^..W.9.>.x...P)....t.k`....=.J.!8K4.T..C>.M........{......8.'..d....%..R~.{..{s......RV....h..]...YQ...\|\|..'..1.W...4.......!..H...+C..?t.Em........%...b..f.?.es.....lO....?<]..x~b-\[. .............{F.,<6....../....?..L.u...eZvx.K.#+....-X.+..~L....[O....7.]&...5C."..Q........s.?N.-....jLf8..n>....6....z..)..O.6.....0.Y....~[..r.6j BEZ..4....6..sY.P3*.w..k.U......0,.....<h.o..}9}@=.v.b8w. ...H^.^-Q..t6f..`.M}'Sd.X.,.~<.^m...(..._.D.4....C..4<(...:...<..........^.C.q.PP..

C:\Program Files (x86)\IkCWSTWLLRQX\LJBPHRBSRLCI.FNG

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	11899681
Entropy (8bit):	7.999984606834096
Encrypted:	true
SSDEEP:	196608:OI9kryCdze2PCDz0SSDHFzQEZtFAXiJqZ9Ne5PbwGIIxCH5aLJkER/NF7tt5R:dkrve2upkHFc0+XiJqrALLJkETtX
MD5:	34C22F715FACA10EAA6D4F0C04811934
SHA1:	163259AB5704779CE2A8E3BE11A7E73C4A9D36DF
SHA-256:	9747A960BC2B94B447948C0A0C2BE72BF97E9C0AFA56E678CE5E5B29355D1752
SHA-512:	BE6DC349F0F55CBFA39FDFC5051CAFBA46AA468C5C13DB47CAB03F3FB7A3F8AC5A1B04C31CABFAD9196534305EE310104904EAC26EB540D9853B63A8F4B37C4B
Malicious:	false
Preview:	7z..'....z..........A..........E.l..r.I....!../.~.........5w.4.....\|...Q....xt..j-.9..+N.v.To.b..9l......f..%\.....J..'..ADh...%..7J...x..b?B.......k.....l.^........H..\.X....xt.>n.v...c.... lF.I.I......eF+..Z\|\|Aq.[h6.\...M........;I\|...eN...+.y..W....?............u.>.A]..~.......YU.- ......aM.V..Cb.`.F.9XM.M.+...nT.T.%./.l=../..M..[@n...\%........N;.....i...f...+.Z\|..aIa.b...r].n...N~&..D......F.$..}....ut.ex-....O.%...MXn.u...G.$(.X..Mn\J..r.[..4.,f@&.#.)...J..}..1O.....0...G.......H..T.&.<.......$.q.j.S.....a..&.?...K}..XS....m......b..s.\|...,.=...e<.K.....wWE/......V..0g...6G,7'...<<.2Z....G@.n....R..^g....h.>A..u......m.4..U.e.....p.....4.gG....~'.s..qE?N."..>.xa.:F]..q."....[....q..D......s...#.L.mh..:s...m\|...r&.....^....v!...\. .`...b.s./T..g.\).eV{'..wo..x.=.L..p......%.C......H...2....o.#.! .t.....7....$..Lz.$.&0.6.f.s0...SK2.......bH..Z.&L.[#i..>...$....^M..`...W>*...a-m.;......!...}%..d0..]...O..l.F.....(....C.1.$.

C:\Program Files (x86)\IkCWSTWLLRQX\LeakFixHelper.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	313952
Entropy (8bit):	4.32348576044483
Encrypted:	false
SSDEEP:	3072:7cxIVD6kUS+hV/EENZH3JzJPlZ4k5O0f+BC9vCfFL:ooehV/pJzJPHM
MD5:	A88A6FFF171F7FECF8668DA1EFC843DF
SHA1:	E4C8B375BBECF5790B2B0444B049CCE11659D598
SHA-256:	34CCCEC093F5711D1202F54BFE8756E093E4F84099EC7D609AB9658C3C941921
SHA-512:	808F6E217F5E157663E66B46429636C4D811ACA7C5672EDD1B003377BB4A039265B4FB905B4ADE39D81B3E64E7793BE8278454155E8BD2EE92FB5B6F919563EE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................l.......z.....h...............}.......s.......k.......m.......h.....Rich....................PE..L.....4Y...........!................e ..............................................'H....@.........................`...K.......<........................5..............................................@...............\|............................text...M........................... ..`.rdata...N.......P..................@..@.data...........j..................@....rsrc................`..............@..@.reloc...*.......,...f..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\LeakFixHelper64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	362400
Entropy (8bit):	4.208790369342181
Encrypted:	false
SSDEEP:	3072:ZGlYJdSi2t2SwbVGMuyic94uxJmXs/wIb8n9ssWy5cdJEnpOwD7A51B8BLRPrB:0lYXSi2ttqWc/PYOy5cQnpOS51
MD5:	3D01B2B5288974E922B6417FD3B02373
SHA1:	5649D3E7E15D1BF707CD7C28FE9931E5620EE9ED
SHA-256:	B438EF547753F91577730FFE9321563E7DD4ABBCBF056ADEE3C49906FC1EABD4
SHA-512:	F0C0EEBA22F33A4C596FF1272D681E7A349AB60112FD0AF5C75E07F065F35525C332270DE0ECC171D0B4BF53C3BC79C4E40BAD0EF1A0418A2D5DE882765D2FEC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\|.\|\../\../\../Uef/(../Uep/V../{./Q../\../.../Uea/i../Ueo/W../Uew/]../BOq/]../Uet/]../Rich\../........PE..d.....4Y.........." .........F......lz...............................................f....@.........................................pm..M....b..<............p..\|....F...A.............................................................. ............................text...L........................... ..`.rdata...].......^..................@..@.data........p.......\..............@....pdata..\|....p.......&..............@..@.rsrc................2..............@..@.reloc...............8..............@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\LiveUpd360.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	647184
Entropy (8bit):	6.591959886632138
Encrypted:	false
SSDEEP:	12288:I/8iKgqct1l8h5H/30CrYXUjniBZoStkf0EOl/mvxxXiINkYF69+:NbhV0gMYnigStkMEMSxXrmYF69+
MD5:	960B05116F13AE8E8B17A6BA2919BF2D
SHA1:	D1A58D1F65272198D0A6657B06FAE6D27F1E156C
SHA-256:	00354506D4F1DD6A1FDF9450CA4A8E799A5A420A1A47BA3E41D7B30D8D02440A
SHA-512:	7A05E3178ABB8F92AA3A61F8A3156C87BD46F03F12D8EFC6CC1FEEE36B2508816E761BF6A3385BBDA2DD16EA3AB9CB4A5B899C3D844257811F0B3D9C4464713B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............`..`..`....`.i/]..`...^..`...H.%`...B..`....`..`..`...O..`...Y..`..2_..`..`\..`...Z..`.Rich.`.................PE..L.....b...........!.........................................................@............@.................................(...........................xC.......N.. ...............................X...@............................................text.............................. ..`.rdata..C?.......@..................@..@.data...8........2..................@....rsrc..............................@..@.reloc..<d.......f...4..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\MiniUI.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	921160
Entropy (8bit):	6.7626587126151065
Encrypted:	false
SSDEEP:	24576:nJtdTUbI0Ig/fMiK6hRN/IgOoWtT9nQnap:nJjUbIU/fPHhrIgBWtTFQnap
MD5:	5123C3B8ADEB6192D5A6B9DC50C867B1
SHA1:	6D142074A21AA50C240CE57CA19A61E104BBDF41
SHA-256:	273CE954C8D33ABAAC3A0FD8546719F09718C1D91317ECF5B99181DFFA3FE26A
SHA-512:	067305A8F09C480FE4A4C8609638C9A490C4EBE2782BD13C10B380DF14F76D4748EB785F44E7BCB86514718F99D07C3C6A4B43928A294B18020CB0FA589EE2A0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S...2...2...2..f}M..2...JN..2...JR..2.......2.......2...2..3...`_..2...J_.y2...JX.%2...JI..2...`O..2...JJ..2..Rich.2..........PE..L...h..Z...........!......... ......Q........................................ .......G....@..............................................................7...P..$....................................'..@.......................@....................text............................... ..`.rdata...].......^..................@..@.data...X.... ...X..................@....rsrc................j..............@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\NetDefender.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	451480
Entropy (8bit):	6.641728581015286
Encrypted:	false
SSDEEP:	12288:c2qfhIic6ZYk/UxdGhZi1MVv2MIbvweYsoOzpgseJUnv9it:c2qfGhz/qgodsoRenv9it
MD5:	2C63554380D33E2AB153CB285E72C2F8
SHA1:	1EDE14CA4003AE639AA80E2F4E90558DD1A49A7A
SHA-256:	F77F9AFB3459F2D2C8FB0354317A0353ACBBF6D31988597775ADCD9AB0D80BA1
SHA-512:	96F951089D907F635AF5A517AAF53FD13064ECA471DC4440B8C67147A91F11043043F102814C2E6DE8933F81F30D6AFFFCC073BF98670A8D52A5518AD89646B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........`.q.3.q.3.q.3B>.3.q.3...3.q.3...3kq.3..3.q.3..3.q.3.q~3.q.3...3.q.3...3.q.3...3.q.3.#.3.q.3...3.q.3Rich.q.3................PE..L....tc...........!.................}..............................................D.....@..............................................................I.......7.. ...................................@............................................text.............................. ..`.rdata..o^.......`..................@..@.data....w.......2..................@....rsrc................*..............@..@.reloc...Y.......Z...>..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\NetDiagDll.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	337736
Entropy (8bit):	6.495942481063909
Encrypted:	false
SSDEEP:	6144:g1wCwn8QI2fm53Nx4Lj23TIae3m7jwyhb/7hjW7iBH+ljFx5mcvbKr:gmnckm5dy63TRe3XyhbNjWep+ljFx5R
MD5:	22C3095414CE54C8405225E3BCAAE591
SHA1:	9F0515A564B5077F49AACE011E84AF51F9973F32
SHA-256:	B734DB11E973318D728FE92E112639AE5B8876C855E6507315C707D04D3E0746
SHA-512:	2BE22658A038F8061B398489C357EFBA0F920FA24655A53650593D4924EE565E445D3A7CFD2C9689BC3A79E8355157004640E49B0249FCA63B3EBE11726D42A8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T...T...T....{.V...].x.M...].n.....].i.....T......s;..O...].g.G...]...U...J.y.U...].\|.U...RichT...........................PE..L....fgS...........!.........(......~........................................`...........@.............................U...l....................................,..`................................S..@............................................text............................... ..`.rdata..............................@..@.data...8Z.......0..................@....rsrc...............................@..@.reloc...A.......B..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\NetSpeed.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	499432
Entropy (8bit):	6.633998530829339
Encrypted:	false
SSDEEP:	6144:2gz1k3fKRVIpJcADwPkUeKvd8C/RxC4MwYXlHUCMJ/TBJnt8KZ0Se+4xichK4:tMfKRGJc1tnPC4MwYXVl4/Trt8K61s2
MD5:	049791828DE05D24D29EC9C8687F8B1A
SHA1:	2B6D787EB078DFAE0C6718A9D99D06CEB01FB273
SHA-256:	D418DDA34640521B8695642C7A7E719F173F706472617CFF4ED343FB68211862
SHA-512:	7E36019A163F55932F95D33FACB216B69244DC8D5506CFD1D2E707A736AF448D7A4F78ABEAF85CF0F42E4E18B7EB1D330A9788F73773E6BE23A61C6B2981136F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............a...a...a.......a.......a.......a......a.......a.......a...`.D.a.......a.......a.......a.......a.Rich..a.........PE..L......c...........!................................................................\|.....@.............................a............p...............r..P,......@F.................................(q..@...............`............................text...E........................... ..`.rdata...G.......H..................@..@.data...Xp.......,..................@....rsrc........p......................@..@.reloc..\|d.......f..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\Netgm.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	343784
Entropy (8bit):	6.490658338748216
Encrypted:	false
SSDEEP:	6144:rFp+cWO/EibdFr0Zv7U7bAb1qi8JU0Wexe/1Yd02Y+VZRg43r:rFMcWO/Eib3r8jU7Q1qi860WexexEGe
MD5:	6E5F6B4D49768E131EF614DD07E5EFA5
SHA1:	DBA90982727A9373C8D97E72500D89814184C7B6
SHA-256:	EE326C156144EB89DE76C21C66BDA10BD22922B1A9C85615CACEE84DF355604C
SHA-512:	12FF45D6F469B577E74A62B866DAE2A879751654A6627250286E3CC4F319411FE901155347DA762010F373BBEB46F2BD95E0428893242EE4707BEFA7312CF92D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............o..o..o... ..o.....o.....%o..=..o......o....o....o..o.._o.....o.....o..=..o.....o..Rich.o..........PE..L....P.d...........!.........d...............................................p....... ....@..........................Q.."....@...........Y..............P,... ...*..0...............................x...@............................................text............................... ..`.rdata..2...........................@..@.data...._...`...2...@..............@....rsrc....Y.......Z...r..............@..@.reloc...C... ...D..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\NetmLogin.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	533600
Entropy (8bit):	6.567835943059589
Encrypted:	false
SSDEEP:	12288:OgmCH8ZkhmmpKJiv/Dn5EWomaMIhEKf3Io7fknS52:Og58GnOthL/I1nW2
MD5:	5D7B815A95164AFB4A8E35240644793D
SHA1:	3AA5BFB8B2EE68C33BEB3190480CBE0149C29A96
SHA-256:	1158A8B493FC607354DD21E5A601760C082C00EB8B69E839E17E4A198C807418
SHA-512:	95E06406294258A3F81446A17E5CF67A02EFCDB0DA257F32ECD5B48D3F00B9BE628E2F82C04856191CDFDE02474ABC62D64D4A200164D7F6149993E548C8A335
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.o.o...o...o......n...f..w...f......f..!...HTz.~...o......f..$...f..n...q...n...f..n...Richo...........................PE..L......Z...........!.....F..........'........`...............................`......v.....@..........................U..P....G...........................5......LJ..@c..................................@............`...............................text...iD.......F.................. ..`.rdata.......`.......J..............@..@.data....r...`...8...B..............@....rsrc................z..............@..@.reloc...k.......l..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\NetmTray.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	247016
Entropy (8bit):	6.914297747665078
Encrypted:	false
SSDEEP:	3072:LQvXrZQoI8GHJg9bb9wv/cZD9Da5TUUQJYlCXbKJOZwFSYG0GTO/X3/mCP0V:kFIZgXwvkZqUpJRGOZwFVG0X/mXV
MD5:	5B4C825671418F34D95EC1F7BB55FFA1
SHA1:	C0AA182B281EDB4F06BDC98D7CF413AF948AB50A
SHA-256:	AA51AE325D53D586532145E0C6E702247654502C0349C5FC570D7155353B045A
SHA-512:	BEC6D76883BF786F93BCA0E32A36CF21002D5E1CDC1C098628D9D50D1E8E40B0E44C6AAA07DD8B503ABA5B638D44CBFAAF6C4BFB0E9F6C8F49470D7664432F73
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..#...p...p...p..ap...p..wpv..p..pp6..p/1.p...p...p...p..~p+..p..fp...p..`p...p..ep...pRich...p........PE..L....B.e...........!.................$....................................................@.............................]....i..........x...............P,..........`...............................HM..@............................................text............................... ..`.rdata...q.......r..................@..@.data....N......."...p..............@....menu_sh............................@....rsrc...x...........................@..@.reloc...2.......4...b..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\NetmTray64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	290024
Entropy (8bit):	6.537709606383622
Encrypted:	false
SSDEEP:	6144:AhEzpelia8VSPgFmHKbDNATfCfzWNunIj1EpJRGOZwFVG0SJK:AhSpelaSPXMmLC7W4iOZYG0n
MD5:	0F15D28EB4CCD9DADFEC0305BF5F8E2A
SHA1:	04DE9FA6736978FDEFA031082C58FFCD0169861D
SHA-256:	F06872A9A6A6AFB4FEA670385694EA364F271705FB89B09E4390E95752A98F25
SHA-512:	955B8C3F383C66B4249510A20890C856994F2F4E9FA40C374B472B9E19AC2441A86BE67249F13E1F624AAF2F03D0F6A73F69A0E3D73178F2FC39843382D1041E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q..Hq..Hq..Hx..H...Hx..H{..Hx..HN..HVT.Hl..Hq..Hl..Hx..HR..Hx..Hp..Ho..Hp..Hx..Hp..HRichq..H........PE..d...7B.e.........." .....L...........]...............................................L....@.........................................."..]...0....................#...@..P,......P....h...............................................`..@............................text....J.......L.................. ..`.rdata..M....`.......P..............@..@.data....j...0...,..................@....pdata...#.......$...@..............@..@.menu_sh.............d..............@....rsrc................f..............@..@.reloc..L............2..............@..B................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\NetmonEP.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	160584
Entropy (8bit):	6.648758970829866
Encrypted:	false
SSDEEP:	3072:ABDE5pe7xyshJiszc1TLQXDNxLYeW54C:Aip4ysYTLcXP
MD5:	EFEBB6F93832D5A7EEF3BD4EB81D4A79
SHA1:	9A75E55A08422E7B6A7D695EBB0F61589B31005C
SHA-256:	542928806DE9A653C52250A0AB3D7847EF9249C195C00B82E5BDEB066AE6D2DF
SHA-512:	D9F276F0556539739289585B55482034BDF99F0C18917720F1AB84B870DDA3E303792CD4DF85183155BFFF8DA174EFBE8A74506197B268D632BA6916AF00E521
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m..,m...m..=m...m..+m..m.Y.m...m...m...m.."m...m..:m...m..<m...m..9m...mRich...m........PE..L......S...........!.................`...............................................................................*..V.... ..d....`...............X.......p......................................p...@............................................text...I........................... ..`.rdata..VJ.......L..................@..@.data.... ...0......................@....rsrc........`.......4..............@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\NotifyDown.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	549488
Entropy (8bit):	6.736896619735914
Encrypted:	false
SSDEEP:	12288:XLgRCEprkKZlVgTndpHpTVWDQZNrHIGUYmHASzK8BnWToS09:7gAEprcnLVADQbzIGHmxK+WTO
MD5:	14274CF241144895CA05CD456197F573
SHA1:	4D4009B0A2F7BA56C6C98DC823C41085EF4712C7
SHA-256:	113562BF950B39E9466E8F646C84AAA93F6B2C89530F56913B0B36E0096239A0
SHA-512:	5A8009D935EB59B10523494C6C9D0A79FD29B0FA41CBA046E9CCC60A8D2EBA05CCC23D881E121A4526371E21B7C9DB6CC62783E1A5ACAD019705970C9F52091E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y.....y.x...y.....y..J...y..J....y..x.P.y.......y.......y.....y.....y.....y.Rich.y.................PE..L....u.T...........!.........@............... ......................................j.....@......................... q.......R..T........Q...........L.......`...M...&..................................@............ ...............................text............................... ..`.rdata...R... ...T..................@..@.data....z....... ...^..............@....rsrc....Q.......R...~..............@..@.reloc...x...`...z..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\Ntvbld64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS-DOS executable PE32+ executable (DLL) (native) x86-64, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	42976
Entropy (8bit):	6.2171815555231875
Encrypted:	false
SSDEEP:	768:iHfqCaczo/ZinYCOd9L9KyhaM7JubDGpZRKjKj9MPgkU7:8fqT/ZWY/L9l7JheMJ
MD5:	671F95CAB2B5CF121125413F250F5275
SHA1:	73D99D09A3D8978A5C6DB43CEC85FB43B03B7A26
SHA-256:	728A1FCDEDCA6DBD8FDDDE3F33CD64DD99853C26EF5B10D3FEF0D76D0480964B
SHA-512:	4AF690AF838CEB026636931AEDE3852EAE6D83881149EF4C28CC1DD032C3F7F6A64B30171C2524512FACD40496DAB305523D20637B44EFBF0D5805D0FAD1FFCB
Malicious:	false
Preview:	MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!.........`......................................................................Rich....................PE..d.....a.........." .....H...".................p..........................................@.........................................pV.......S..(.......h....p.......h..H?...........................................................................................text....F.......H.................. ..`.data........`.......N..............@...

C:\Program Files (x86)\IkCWSTWLLRQX\PDown.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	253456
Entropy (8bit):	6.554744612110189
Encrypted:	false
SSDEEP:	6144:OpoEWHpLJeJ8MvIucm/334RStKp7Tu975:vEsLJeJ8MvPcm/30u975
MD5:	637FB39583F9C2EC81E0557970CD71AD
SHA1:	ADA1137BB47DF62F48407ACC2DC713D92D13A0E0
SHA-256:	330B8EC664949CB9DE5BCCE5AC248148B58DCFEED69ACD8D9CB576AAA935045E
SHA-512:	F72C77D29C51CC6AC1151C919C769BF063E5BAE763033B9BF5BC713E01416ECB301A120B22A17037310E47662EA916A06AA09BB441DBDEE4032A6D59A0876ECC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........gOT...T...T...]..B...].....]..Y...sTr.C...T......]......]..U...J...U...T...V...]..U...RichT...........................PE..L......b...........!................W...............................................j.....@.........................@L.......=..........T...............xC..........@................................!..@............................................text...)........................... ..`.rdata.............................@..@.data....H...P...(...:..............@....rsrc...T............b..............@..@.reloc...,...........j..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\PopSoftEng.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	662920
Entropy (8bit):	6.526894314465185
Encrypted:	false
SSDEEP:	12288:+huSCyAZQUpHByI4ur32KWVyTHrpGUCiAqfoHD2AvdLnaSZCzm3slIalDoH7+F+2:+huSCySQUpHBl4uqKW2Hr9otZCCAlUHa
MD5:	C3EA1FBF2B856FC25E5348C35FF51DD9
SHA1:	87D8FDFDD52FA3BD59FDC7BB1E378091D0D91C16
SHA-256:	6F24B8CA595B4B472320C7A104C64AAD6F0928AD4F1318D1DCFBB0C5BD488A64
SHA-512:	298CE88D37E0496CDF6DADCD7D8890128B90113161311D67ED264B003D5840460FE594B8550FA46E45AF88564E4095C21B748CA3D2B497540ABEB0CAF5533820
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.............~.......~.......T.......~..........................J....~.......~.......T...............~......Rich............................PE..L... .._...........!................q........0...............................P......8.....@..........................J..N...D9...........................6......PT...3..................................@............0..(............................text............................... ..`.rdata.......0......................@..@.data....~...P...8...4..............@....rsrc................l..............@..@.reloc..Vn.......p...t..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\QKFJSGCGWGRQ

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	177
Entropy (8bit):	5.2011029533052096
Encrypted:	false
SSDEEP:	3:FCp/32ZmsmyR73wy82K9oYGyvA9id2sycyMcVqotTBAtoZht3wetdQQqi5xQn:F+mdR73wv9oYnvA+yLM+At2t3wgCQPxQ
MD5:	E7EE8D889FBD33DED17EE00BC9E98ED0
SHA1:	A153B28DBB602C58A606A44906F38128E85CD285
SHA-256:	2BA624377B2B788ABF3A248D956FF743E93F06746D3D2F220A2257AD94DA540E
SHA-512:	006D57BA2F48792DB028437F814618F19AC2D21EA1A1E9BDF39F5853536441B3436BAFB866917CC6708B21C58D93495501DFA5B345F55BC49FEF766812E46DF8
Malicious:	false
Preview:	[XLY]..P2=LJBPHRBSRLCI.FNG..P5=IWLHTVJXHINUWUFBWIU..P4=FNCUNPTNLBMW.DNA..P7=AEXIKRSDXTBGHJSHHPK..P3=KKVIOQVTEUTA.OKO..P6=RFOLHRLVLKWUMQMLJJA..P0=DAN127..P1=e8a0d5af432b7e64DBD..

C:\Program Files (x86)\IkCWSTWLLRQX\QseCore.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	849224
Entropy (8bit):	6.7893930691706075
Encrypted:	false
SSDEEP:	12288:V/Fiea85oMvk6SqMNH/U6beovEYNVXWTwROJTQ9wC1N4Lx09GpVuQ:VAF85oAk6lMNfU6beXwROJTQSC4l0KuQ
MD5:	AA4E9E8A1B0B7C4126451814701A449F
SHA1:	7D988C453283C345E17422FC4B2B6CCFD8200245
SHA-256:	6CA0ABCD77232A5CBADE520596CAB305012ED72315C09CB5A30C3C1E96367F98
SHA-512:	0738DFDE9EC2B1E23B88FDA344CFBA443705A3AD87F22629676118DF555BD395D1737066EFCC4257B8138A0D282491CBD30F36D1880CA640E7D463855C0AD63C
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........!..O..O..O.{....O.{.....O.{....O.Q;...O...L..O...J..O...K..O..O..O...K..O...J...O......O..N...O.W.F...O.W.O..O.W..O....O.W.M..O.Rich.O.........PE..L.....6]...........!................E...............................................f)....@........................../.......0..d........................6.......W..P...p...............................@............................................text............................... ..`.rdata...........0..................@..@.data....F...@...,...2..............@....rsrc................^..............@..@.reloc...W.......X...d..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\TP453990d4df32.TPL

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	719
Entropy (8bit):	7.651157103123239
Encrypted:	false
SSDEEP:	12:13GQDv7sWgZDAIXQk5m/2MnB82RU+JR/DoZMIZ6XO1a/oCfGEAxTNBfJb4eWNudj:1GQDvMAIgk5meMBXfsrZ7a/ODBpdj
MD5:	2322FEDC1A270A91A3584496BF609CEF
SHA1:	F422C6A1AC8BA5911C2A74BCBC052D11E43A3F97
SHA-256:	832BD52C260A50338ABECA0E16A65ACE58DDBCD16F5E65A30BA9362822376763
SHA-512:	575891E907D02DEA426EFA6DFB9AF11A4B2C23FA7C73C85ADA4C555085A6C0B14A76500974D89D1726A6853C8836F90A112F928DEE250E86681415DD2A8242CC
Malicious:	false
Preview:	7z..'.....b.p.......?............G.>FK.~)K..0+.B.....#..F..5}H.....3>...0RR1.x....T.P."X..%.BR..TA(.\|L.B..U..2.9...EW....2..R..P.[X.Z.+.3..u.....9..vOy.]kN..3E.vk.4t..]..../.}Y...zZg~....a..A..k.`vD.V.~.. 'w...r....<P}.`.....3v.=......5..4.qBo....q.B....?e....u.W.\|y....TL`.nE;..5.&.+.S...t.."xh.. ..z.. .b...=..l.\|...(.h.+..f.D...).[.uO..$._.....s.&q1.$5.R..P.....:...iNL"SX."...b...).0......d..9/......+..C`.+.........2^.......M..j..P.+.`.5.m...X...J.As.....S<<.S..\.......j......7H..R&\a...4$".P!..r.l..o.R.Z..............y..g.\`..#M...E.....oZ..\|..K\|H..f.09B.....>.....S.9b.I....s.].....i2.U...H..zv...6.s.\.O...-=...............$.....S.V......U..1..0.#....].............[....

C:\Program Files (x86)\IkCWSTWLLRQX\TroPox-B_Plus

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	710888
Entropy (8bit):	6.630506217753264
Encrypted:	false
SSDEEP:	12288:5n9CCUQ0bGwLt1n/iswKJLUY2XOrEO/6awL7wU0s6OzeoXHhS6ckqIbpieFGrh1l:7+tLt1aNYrfBB6BAqZkyQgJ0VL
MD5:	C4A08B391245561157AEFD0FE7C40A11
SHA1:	28D15D43A1BDEBC83701AFD89E6EA9C24F90DB33
SHA-256:	53D7C8F2FD109E85FC9302B7424875BAD22A148D6EDC6C7FD8E4589E97259BFA
SHA-512:	24C7608346B76694BF9D8227FF6A794B26D73C0DA93FD231A2331CD371ACC86F293FB9093850F5513DFBE1D269114A56F47DCADBA11BD98C691AB38472A6CCC6
Malicious:	false
Preview:	Ta+....................[...............................................W.osp.....r.xt.~xuu...y\|...u.pu._jn.t..\|............*3}...........l......l..Y...l..... 8..... 8..... 8..............&..........~;.....~;.....~;.....~;.....~;.....ip~s...........................k\..W.....d..................u...C.......Y............[......................................[..........................................+..?...........#7..k....;..+r...W..o............................W..[.............................................\|.....Sw.......u.....................{...x.x..?0.......1..................[..[..x.x...Oi...K......................[......~...?....+.......A..............[..[..\|w.~..+r...;...s...Y..............[..Y........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\TroPox-E_Plus

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.306110093863136
Encrypted:	false
SSDEEP:	384:U4MHLZo6ULkil3CtzKIoTRp6n7B56TXGy5+:U4MHLZo6ULrCtzcTRpUd5S2K+
MD5:	ABE42D544B1002D50801E3075576F455
SHA1:	58B6CFBB60EF6AD2734C163C4C83B04CBF617AB1
SHA-256:	3D48A8F09DE2FD202BA4922D944FA7FEE03B1DF13FC3BFC22BE814937CEA52C6
SHA-512:	C9B842A687FF0A6DC4E242AEB3CFB6964A7D4083A9D9A1583B1F85E949E68451C24744DDB07531DBE03B0539C9F1FDF5BE3F400D1A523325BD114633564616E4
Malicious:	false
Preview:	Ta+....................[...............................................W.osp.....r.xt.~xuu...y\|...u.pu._jn.t..\|............;.9....9...9...9.~z9...9.u.>...9.u.>...9.u.>..9.u.>...9.~.>...9...9..9.u.>...9.u.>...9.u.>...9ip~s...9................k\..W.....or.....................................K............................................[..........................A..o..._F.............................{......M..C...................[B......{M..[............K................................\|....................................{...x.x.......K......................[..[..x.x........k.......M..............[....\|w.~......{.......C..............[..Y........................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\TroPox-Z_Plus

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1390312
Entropy (8bit):	6.599443687044707
Encrypted:	false
SSDEEP:	24576:znhMjKSFXpFEzq7zZvjyswjzYnOAjPSy36c9RCvirRMNJbd3g:jhMt/nVo2O56tibxg
MD5:	C77EE913C46510A705A9DDDD91DE8302
SHA1:	CB5E045FA27186B9F23E4919590387478B9343D5
SHA-256:	092689651DB7B81A6816B1F78F8CF81476945D493E9566762F5791ADFC5BDA31
SHA-512:	A6C080D04C92EFBF8A1A4A1D1423837B1282E4CFC0E77D9DA4BC9F78E235AA6CD8AE3468B588FD9D35BA656A7A1B27AAE805662EB6C84B053D0149855F4A6514
Malicious:	false
Preview:	Ta+....................[...............................................W.osp.....r.xt.~xuu...y\|...u.pu._jn.t..\|...............K<+.K<+.K<+..@x.D<+..@~.P<+..@y.<+.y.,.<+.y./.<+.y...<+.@..H<+.@..B<+.K<(..<+.#...O<+.#./.<+.#.,..<+.#.+.H<+.#...H<+.#.).H<+.ip~sK<+.......k\..W......~.............................B.......;..........................................[.........................k...........k...................#...k..........K..............................k..[............;..7.............................\|.....<..............................{...x.x.......;......................[..[..x.x...K...;...O..................[......~..............................[..[..\|w.~.............Y..............[..Y................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	710888
Entropy (8bit):	6.630506217753263
Encrypted:	false
SSDEEP:	12288:6BMGnPEAEuRNz2HuiEJe0z6h5KEuEVv4D1wEM50+OD2evinKqcQUuWnI8:6BMGnPEAEyXiEw0xXD2evincvFnn
MD5:	FAE7D0A530279838C8A5731B086A081B
SHA1:	6EE61EA6E44BC43A9ED78B0D92F0DBE2C91FC48B
SHA-256:	EEA393BC31AE7A7DA3DBA99A60D8C3FFCCBC5B9063CC2A70111DE5A6C7113439
SHA-512:	E75C8592137EDD3B74B6D8388A446D5D2739559B707C9F3DB0C78E5C30312F9FCCD9BBB727B7334114E8EDCBB2418BDC3B4C00A3A634AF339C9D4156C47314B4
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........f..............U.......U..B....U....................................................c.......c.......c.......c.......c.......Rich............................PE..L.....]d.................n...8......dB............@.......................................@.....................................d.......................P,.......g..pL..T............................L..@...............(............................text...Hl.......n.................. ..`.rdata...............r..............@..@.data...4R...0......................@....rsrc................:..............@..@.reloc...g.......h...B..............@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175328
Entropy (8bit):	6.879935553739908
Encrypted:	false
SSDEEP:	3072:jnrQnzMYywmn3h1sp7/WvCnIukR4BbxKigu/fgl1glfdjgBftJeCEEzx4N7mcr5:XQnzXtr7tbxKVuE1gQJeCEMx4p
MD5:	BE4ED0D3AA0B2573927A046620106B13
SHA1:	0B81544CD5E66A36D90A033F60A0ECE1CD3506A8
SHA-256:	79BF3258E03FD1ACB395DC184FBE5496DFA4B3D6A3F9F4598C5DF13422CC600D
SHA-512:	BD4E0447C47EEA3D457B4C0E8264C1A315EE796CF29E721E9E6B7AB396802E3CCC633488F8BEEB8D2CF42A300367F76DEDDA74174C0B687FB8A328D197132753
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............d..d..d...g..d...a...d...`..d..g..d..`..d..a..d...e..d..e..d...a..d.....d.....d...f..d.Rich..d.........PE..L....]d............................S#............@.................................>.....@.................................d8..<....p...............d...H...........*..T...........................H+..@...............$............................text............................... ..`.rdata..._.......`..................@..@.data........@.......4..............@....gfids.. ....`.......>..............@..@.rsrc........p.......@..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\filemgr.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	618728
Entropy (8bit):	6.588792056328895
Encrypted:	false
SSDEEP:	12288:B+jJIpPUHR7IS++ZbaL/mH6yf0fvmuZqhI8XlF7YfkLfm7WUjxioncm:U++4LVs0QpFaIm7WKgoB
MD5:	6E8F89DA86BB82538932DB314C2208F8
SHA1:	A86C373D7BC49032F0EB7D0BB01DA74BA67B4F43
SHA-256:	ABA5E0FFC2D21CB5045D13CE66F8D80862600E37431D20E999295CB07DC5EF3D
SHA-512:	7EAA25D7AC722EF7687357356AC9635B80158918BDA03C3A7E49387BEACD8CD2A9A2ACFD8B5D13571453A7279772FA726A75C9DA0FD7EC6D5BAF202FB928F00C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9..9..9.MvF..9..AE..9..AZ..9..AS.e9..AC..9..9..8..AT.v9..AB..9..kD..9..AA..9.Rich.9.........PE..L....t?e...........!.....8..........b........P......................................).....@.........................p...O............0...............D..P,...@...U...T..................................@............P..$............................text....7.......8.................. ..`.rdata..._...P...`...<..............@..@.data...\|s.......(..................@....rsrc........0......................@..@.reloc...m...@...n..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\fixsc.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	147176
Entropy (8bit):	6.792908985087195
Encrypted:	false
SSDEEP:	3072:oAhT/95cw+pUD+U7s3H9xMaZ7DdJMq5mZZEGP0V:RBADU7s3H9xnBhJyZZETV
MD5:	2EEFCD3D407E4DA935E5B60EF257E153
SHA1:	34F56846E9F48F9775DD8250897345B7736DE213
SHA-256:	837B3DE5BF545BAB85599F0B6D36D8DFE4B3595AE94254CF7C968D1D7DA86F35
SHA-512:	EA05765A18CDA52A7398E04947C8DD6828BE06B07261C612BB8E550656FF5F9EBBD37F85C07007980044D2036171227EEA978B0D0592D6D584A5DEFE53BF8968
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........J...$...$...$.e.....$......$.....$......$...I...$..._...$...%.{.$......$......$......$......$.Rich..$.........................PE..L...\|Q.d...........!.....Z..........X........p...............................p......}.....@.............................l.......d....@..................P,...P..\....q.............................. ...@............p...............................text....X.......Z.................. ..`.rdata..L_...p...`...^..............@..@.data...\|n.......,..................@....rsrc........@......................@..@.reloc.......P... ..................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\fixsc64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	174824
Entropy (8bit):	6.422260069407969
Encrypted:	false
SSDEEP:	3072:vjNq/3Jyz4vHAYH7EKJ3eAlNd09cd7g9EEnQHBdp5FFmvBh7P0I:vjN6yKNBJ3eAdNEEEQHB/F4BhII
MD5:	ED2ACECC811ABF288316C709E2F2D943
SHA1:	0CCE7CC3687CAAF59E6DEA1A90D1214782B5742E
SHA-256:	C3E9F2023A28A2115D15D8DA451B8105771C4D4746F494CCF83FB28623CF724C
SHA-512:	9DD510EABDB4D59B82A7492DFE6A6D11C47721DD0B7F0F22C8060063A94E36FE93A28EC19815AA68F89B1B807AAE584B304AB15D183493295B7E13E65527BEE0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......xI~G<(..<(..<(...g..?(..5P..Q(..5P..7(..5P...(....}.>(.....=(....k.+(..<(...(..5P.."(..5P..=(.."z..=(..5P..=(..Rich<(..........PE..d...UQ.d.........." ................................................................G.....@.............................................l.......d...............x....~..P,.............................................................8............................text.............................. ..`.rdata..............................@..@.data........ ...L..................@....pdata..x............Z..............@..@.rsrc................p..............@..@.reloc..\............v..............@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\heavygate.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	559000
Entropy (8bit):	6.789431209891293
Encrypted:	false
SSDEEP:	12288:OrswC3DEddri7Dj1XHmyZQNCAGTFgRJz/9i:gsP3Dwdri7DjlHECAGC//9i
MD5:	EE6AA967C56CC0D0820C95D4FD89FB30
SHA1:	D1C5161FB8CCA7FEDFFC1056FAB8D79309EEC01D
SHA-256:	C7CC69762AE72840D200C14E652A460807F487059F7D0780E245AB36AF445B9B
SHA-512:	8502D5E4BB48FE3ABCA897F293199815CE7DBB67E4983BF9A9631A4F92602289FBF08D42DC547B96E1C8338C77108019B952DAA5D682465C7C5567CCBAECEEAA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.$PL.wPL.wPL.wY4?wJL.ww..wSL.wPL.w.L.wY4.wwL.wY4)w$L.wY48wQL.wN.>wQL.wPL=wQL.wY4;wQL.wRichPL.w........PE..L...y.`c...........!.........F......*M...............................................)....@.....................................(....P..L............>...I...`..h...0...............................0...@............................................text...\|........................... ..`.rdata..............................@..@.data....B......."..................@....rsrc...L....P......................@..@.reloc..X9...`...:..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\hipslog.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	49480
Entropy (8bit):	6.739956450503979
Encrypted:	false
SSDEEP:	768:C2a0KRlGHkg3oqHo3eaB6e7NXQxZzYf3yvZ6/WitUDvb1PRF8oaH:n/HF3xb8KEvyE/cDj15FI
MD5:	E2D837E2B4DDA87A82553631E7D5627A
SHA1:	9F1A5A95B4F0AEA6F9061140F0E22EDA819A78BF
SHA-256:	A5118527EE28C3C263F3FCC3346F8BCA83284E21C8149082F8D1AAA68B39EBC6
SHA-512:	3FDBB618C9F49FE5C7EA81398401C5AD19EE8A215B9A3D29FC03071935E566B80560A775CEF3F1502F8447B2A2528285C8D4586C576A3E311241A06177E14C52
Malicious:	false
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$........@3..!]..!]..!].Z.\..!].lH\..!].e....!]..IY..!]..I^..!]..GY..!]..GX..!]..MX..!]..Y..!].lHY..!].lHX..!]..IX..!]..G\..!]..!\.=!].cHT..!].cH]..!].cH...!]..!..!].cH_..!].Rich.!].........................PE..L...>.?]...........!.....X...,.......Q.......p............................................@.............................t......P.......X................6...........z..p....................{......pz..@............p..(............................text....V.......X.................. ..`.rdata..~....p.......\..............@..@.data...P............x..............@....rsrc...X............z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\iNetSafe.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	383720
Entropy (8bit):	6.579374990134974
Encrypted:	false
SSDEEP:	6144:oG1pYD09uIwtl0F1LrheKG/HYStQGz1DAOoQGEnb5bj1hFu:X7g09uRlYeKG/DHegbjs
MD5:	3CE009AFF2FE459A8248693AC8DAB788
SHA1:	607444A7B8AB2E17C525BBE0B28878C3BD0F8099
SHA-256:	11856EE1D754D31AF95F1047CE6B68CA2395C703A995525FA5D9E4A2678D0B86
SHA-512:	1AB4ECB89B07F09985B57F0D546FE6063D8ACEDE435F74075EF9A37288F7D9D19DF168AAEDB38093D88BA2E515CBDABB23F87163AC8FCF9A706448B0F4FC2774
Malicious:	false
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......d_f4 >.g >.g >.g...g->.g...g.>.g...g=>.g)F.g">.g...g%>.g.`.f4>.g.`.f.>.g.`.f.>.g)F.g">.g)F.g3>.g >.g.>.g.`.f.>.g.`.f!>.g.`.g!>.g >.g!>.g.`.f!>.gRich >.g........................PE..L.....8e...........!........."....................pe......................................@.........................0...................8...............P,.......L......p...........................0...@............................................text...}........................... ..`.rdata...O.......P..................@..@.data...p^... ...0..................@....gfids...............:..............@..@.shared.x............<..............@....rsrc...8............T..............@..@.reloc...L.......N...^..............@..B........................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\iNetSafe64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	406248
Entropy (8bit):	6.190903413261375
Encrypted:	false
SSDEEP:	6144:OazgQG4JdLe2p+teZ3q9y/3clyMEcLeowam/xohKKJJT2pgJ1JhfQeUnZdnkewZ:HgVGemGeNlYbR2am/xolx0nZZjm
MD5:	E5E4828980E5C836163382F9642D4D24
SHA1:	E8BFB72EB75D20DEEA9152089B7092E07F2EF2F3
SHA-256:	639EA37856839C2D5446A82441D7AB94204EE1172487EB88E9AC1CEB6261D554
SHA-512:	6F621EC441CA46CC48A48056F8E278FF746ECABDAB1933C0FEE18574EE366BD9721487D6462746B6874A5B2CD4D8FC327B5089F351CE8086E10061791034794B
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........o-a..C2..C2..C2.h@3..C2.hF3Y.C2d..2..C2.f@3..C2.fG3..C2.fF3..C2.hG3..C2.hB3..C2..B2#.C2RgJ3..C2RgC3..C2Rg.2..C2...2..C2RgA3..C2Rich..C2........................PE..d...j.He.........." ................l................................................t....`..........................................J.......K.......P.......... 1......P,...`..........p...................p...(...p................................................text.............................. ..`.rdata..............................@..@.data...,F...`..."...H..............@....pdata.. 1.......2...j..............@..@.detourc.F.......H..................@..@.detourd(....@......................@....rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\ieplus.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	887648
Entropy (8bit):	6.72536750906441
Encrypted:	false
SSDEEP:	24576:rMl3YXVguMMrGA+64Z/fOl7FPZ1ZGf4a9nCFECq3N:Q0LMe4ZHOFPXZGfNCFEzd
MD5:	CFB50C3C7D74F518CA9E2828E702145E
SHA1:	E38FD98574C08BCC6415E62EA7C9A380958A3D1C
SHA-256:	1C8FF953478CC71166A36181ED32AE7C48B267B011240DB2C701E35D391A66EE
SHA-512:	BD08332BDB78614F1CDFD2E4939B1B9400476D99B50996C17C0277ED76DB5972FAC5EC77DCD4C56459DAA11C6126DC12D66A4E59122DC9B8D89FF6DF89B83240
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%.U.K.U.K.U.K....T.K.K..R.K.....S.K.....R.K....p.K.U.J...K.\...C.K.\..v.K.\....K.\..L.K.\..T.K.K..T.K.\..T.K.RichU.K.........................PE..L....N.]...........!.....f..........................................................^]....@.................................L...,........j...........V...4...@...s.. ........................6......X6..@...............d...\...@....................text....d.......f.................. ..`.rdata...d.......f...j..............@..@.data...........p..................@....360_iep(............@..............@....tls.................B..............@....rsrc....j.......l...D..............@..@.reloc.......@......................@..B................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\ieplus64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1001320
Entropy (8bit):	6.375963793592453
Encrypted:	false
SSDEEP:	12288:DaG9UYtX8J3EfBCMwM9E4jRcoI237MSW7/HTdPSYPJBhnHRxd/c:Dx9UdYRwM9EWI23wSWHdPTJB5dE
MD5:	074CFA8CC35DC642A2B95CC96CE5357C
SHA1:	CEE218C914D530BE6C9BB9531E78F2137224D5A8
SHA-256:	4DE592C87C443780B5D475414196B3C5406ACEC8809EA65AF45A50E7E43462A5
SHA-512:	EF776EB824F4C3152A380B3EC2858A11A96E48711C213AF905FE2B0A972F9CB4A7D83B4B96848DB0B478AF4D19623CB8AC0E5F8FC47007B39E0F16FC2E5FC851
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........../.p.\|.p.\|.p.\|..@\|.p.\|.?\\|.p.\|.._\|.p.\|."N\|.p.\|V.v\|.p.\|V.t\|.p.\|V.s\|.p.\|.p.\|[q.\|..I\|op.\|..N\|.q.\|..X\|.p.\|."^\|.p.\|..[\|.p.\|Rich.p.\|........................PE..d.....].........." .....V..........\|................................................-....@.........................................0y..g....W....... ...j...P..H........4......8...p{......................8;..(....................p.. ....V..@....................text....T.......V.................. ..`.rdata.......p.......Z..............@..@.data............n...d..............@....pdata..H....P......................@..@.360_iep(............\|..............@....tls.................~..............@....rsrc....j... ...l..................@..@.reloc..d".......$..................@..B........................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\imhelper.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	247528
Entropy (8bit):	6.604794755347589
Encrypted:	false
SSDEEP:	3072:2Y77YOcw6BdKQYuVXsZy54tgQCkW30W9ezJQ4mRan5kiINyyT7PK0AMZcan5aj9b:n7YiJEIy54gFogRa0Nl/N1Sjl5yxAl
MD5:	9B05B1F0E62DD100D385807262B84A90
SHA1:	631449787D7532A855CB061E333C0712AC20E753
SHA-256:	6BC0133A16C7F058E5C0B6027929DB1145D37717118DBCF24013FA4F2D79E848
SHA-512:	9F43A542B38D998038D20467BB797CF789A36666F4B8154A548FD6E7BA24A20256C9A0BAB64CD43CB12BEBF704A524FE35F9652FA399237A3F0AFB3BF8670676
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.n..yn..yn..y.Hmyo..yg.ny}..yI..yy..yn..y...yI..yo..yg..y*..yg.xy...yg.qys..yg.iyo..ypUoyo..yg.jyo..yRichn..y........................PE..L...N{.e...........!.................................................................N....@..........................R.......B..........................P,.......&..0...............................p...@............................................text............................... ..`.rdata..............................@..@.data....\...`.......>..............@....rsrc................Z..............@..@.reloc..h7.......8...`..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\ipcservice.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	705768
Entropy (8bit):	6.685295160437571
Encrypted:	false
SSDEEP:	12288:S/20NCvMDhBsqLeIQA2BcMNcYB1mF5Q3LNOsbwbekwCYgLECHqa7XWpbt9o9TehK:e2KC6hBs6f2Bcm65sO8wACHqaTQJe9Tn
MD5:	8B632FD2D4EA70470AF97CD5E88F74D7
SHA1:	9E384D37EB586E9B187F4FFF89C2F104A7921F44
SHA-256:	AFCBB8BCE2E5C8C5E9AA851941E626A62573E6054EC75C14066AD37726BB9DB6
SHA-512:	5F7EA2BF6599AA9E0C44C2820F89DF0827EEBD8A037C9DF2AF516D9865BBEEAF31CAC89AF7214A59BD4B25F2BF7EB94E257AA2766F1D12892E1C34E78776F5E1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,B..h#.h#.h#..,..j#.a[J.p#.a[U.d#.vq[.l#.a[L.K#.h#.#".a[\..#.a[[..#.a[M.i#.vqK.i#.a[N.i#.Richh#.........PE..L...X.Le...........!................L.....................................................@....................................@....p..8...............P,......Pk..`...................................@............................................text............................... ..`.rdata..............................@..@.data............6..................@....rsrc...8....p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\jpnative32.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	202472
Entropy (8bit):	6.660474984647205
Encrypted:	false
SSDEEP:	3072:jLH6l5IoUzqiNVwzQyaT0NQgepguwz+uQJOAg0FubAIrnXrsFCAsKIP0a:SluoK7QiToQdeAOpLAFCtKha
MD5:	0EA1C58DEDF685A4A1EEB1C7BD1C972D
SHA1:	66CA439A737A35FC936D2C8F990AD3538D9F2CDC
SHA-256:	41780A7339545676A2D587CD5BCEA9181E6FAAF3EC73C5006D7D76B47B98A6F2
SHA-512:	D16B0A12EE38399C4B05F38E0CCCAFA6BD4984C353AF845337F3E5E8D64AAF3D9B1561E423C5CA59D2652EB083E92FB8832168989B34F11465AD581A39739BA7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:gx.:gx.:gx.....7gx......gx.....'gx.h.{..gx.h.}..gx.h.\|.%gx.3..=gx.:gy.Zgx...q.8gx...x.;gx.....;gx.:g.;gx...z.;gx.Rich:gx.........................PE..L......d...........!.........*.......\....................................... .......A....@.................................P...P.......................P,..........p...p..............................@...............D............................text.............................. ..`.rdata..............................@..@.data...H...........................@....rsrc...............................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\jpnative64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	247528
Entropy (8bit):	6.255611405833788
Encrypted:	false
SSDEEP:	6144:MzlHNKfmGZoRwaQDy4ikigoh7Chpq8eFiybV:6tp9QD7ihgohCQFh
MD5:	9380B590C9BE993F3F253469D0933765
SHA1:	0DF57C8EA3D19DCEE142F03D0D6FF4DA7EE5BCCA
SHA-256:	CB8BE7A72561A379B122AB70CAE681840009CE71C9C50B819B2B9E8CCC7A5B73
SHA-512:	2277F388E10D8D579203F7546C30DD314C4BA0AEAC0CFBDBB7F393FBFE54F7ED60FBEDB31E524275112D9E1BDB9F5CB24AC02259ABBC096A81E8CE2D32B87F6A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.T...:...:...:.u.9...:.u.>...:.u.?...:.H.9...:.H.?.,.:.H.>...:.u.;...:...;.E.:...3...:...:...:......:......:...8...:.Rich..:.........................PE..d...A..d.........." .................c...............................................8....`..........................................\.......\..P.......................P,......\|....&..p...........................P'...............................................text............................... ..`.rdata...U.......V..................@..@.data....'...p.......V..............@....pdata...............f..............@..@.rsrc...............................@..@.reloc..\|...........................@..B........................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\leakrepair.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	705504
Entropy (8bit):	6.635093248285898
Encrypted:	false
SSDEEP:	12288:GngcmdomAFsBeQsv5REGqRXkgVP73MfsPF9vyt2nSyv9K:fLAFKsv5ROkgVAfsPTyEnD9K
MD5:	C40E8A502AF91ACA96B85AB36CBE818B
SHA1:	004141E75604502E2EA30C5760008368C36850D8
SHA-256:	A10966CC2785845DC296D90EF9C97ABA865BD06DF1A8A7006A7EE53EBD2152FB
SHA-512:	219630292A8CF70311F06DC1F3A99BA948E7E7BBAB937B0F5B928121838B79FE851B70650BFFD07A4F36A22E2A7B34DE4461D8F4C97FC1322026CA2C5C2E31EF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........fP...>..>..>..v?..>..o=..>..o:..>.l;..>.0n?..>.?u;..>.....>..n:..>.j:..>.j;..>.6....>..n;..>.2n:..>..`;..>..`:..>..o;..>.2n;..>.l:..>.l8..>.l?..>..?..>.4i;..>.bj;..>..n;..>..n>..>..n...>.....>..n<..>.Rich..>.........PE..L...].$a...........!.........z............... ....{5................................b.....@.........................@...0...p........p..................H?......XS.....p...................P.......H...@............ ...............................text............................... ..`.rdata....... ......................@..@.data... 7...0......................@....rsrc........p.......&..............@..@.reloc..XS.......T..................@..B........................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\libcurrant.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	966376
Entropy (8bit):	6.564045153487216
Encrypted:	false
SSDEEP:	24576:3lzYxkj819KdVtUSPczJfKbM1aIjvI7BxwwuDFkrwtFkUHUZ0sIPbtYUkXAJfTSH:1zge8XKdVtUSPczJfKbM1aIjvI7BxwwH
MD5:	A9FF3D29AF8CCA5D3C90F17709EB0548
SHA1:	7F4B69366BA3BBB7BF08206FEA672C807CC2B562
SHA-256:	45E8B5F32CDE9201278500DF961133AD26AD60C531FCFD77D3D26FEFF105FFD0
SHA-512:	F043D1599D57B1E86D97CA1E81CF81FF0B3C97B95F1134ABF6DEEAC615F37645A825363315F5FB2139286BB5AEF5FA26C375E829AEC897C27CEA30199310123C
Malicious:	false
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$................e......e..*...e...................g....2Y-....................i.....y......}....................}.........Rich...........PE..L......d...........!.................d..............................................`.....@......................... ...H...h...x....p..@...............P,......@j..@t..p............................t..@...............L............................text............................... ..`.rdata..............................@..@.data...............................@....rsrc...@....p......................@..@.reloc..@j.......l...$..............@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\libgravity.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	871144
Entropy (8bit):	6.407442398411684
Encrypted:	false
SSDEEP:	24576:hgjR9MABH2uK50bPcjV/3WU020ZQA8NM/rmn:ghB1W3WUVeC
MD5:	9A88DC21D3AC42ECA184F37297387BDF
SHA1:	2F82552EF8F4B6A10356441CD158F1A0C5905913
SHA-256:	466DF96D59B878EC6775ECC4D497B71CCD73CB11FBB2C2B23575EFE055BFFB75
SHA-512:	1136D371771A71D329910ED9BDBF8243F74AD19FCE75F9A8712BC1E1E53EA3EF3722D4E067AB5567366D40D2637AF7E119E7E31734DDB57BCEE126CFE932C37B
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......U-.}.L...L...L..3,./.L..3,./.L..3,./.L...L...L.......L..C$./.L..w$./.L..w$./.L..C$./3L..C$./,L..3,./.L...L..]M...%./@L...%./.L...%,..L...LD..L...%./.L..Rich.L..........PE..L......c...........!.................P..............................................._....@..........................{.......\|....... ..8...............P,...0...s..p&..p....................'.......&..@............................................text...U........................... ..`.rdata..............................@..@.data....}.......&...\|..............@....rsrc...8.... ......................@..@.reloc...s...0...t..................@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\libscent35.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	927976
Entropy (8bit):	5.917840435230856
Encrypted:	false
SSDEEP:	12288:Syp5QtiR2fVE00WKL+YD5ndNpKrtvKXVsFpJppn72z+T73P+2QHkgFrGCZK:1POE00WKd5ndNpKrtClsFXnhT7ZAkgxO
MD5:	158D719030DBD08384235B165FC211CF
SHA1:	A8161B15C0BC6576829DA4BC0732794B0AB2E37C
SHA-256:	BC33C91BE3D31557B16F2B91B90DE96580C3CD2510E3C3D3B77E3D4CC8DBB0B4
SHA-512:	383E551FFC50D17E9A5B466E996614B5AF35BEB48A72A47CB7D5A35B68D68906E5ABADDAEABD439AA214BE28E7A27FBCA3872537D65D33CA64A53B513A924EDB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.(e...........!..................... ........@.. .......................`.......7....@.................................P...K.... ..................P,...@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........o..P............b...............................................0..M........(....~.....X.....r...p~.........(....(G......r-..p~.........(....o....}........0.......... ......{....rU..p~.........(..........(....o...... ...........%......(.....%......(.....o.....o.....o......ry..p .....o.....(~...o.......o.......+.....X.....o....o....&...X......i2..o.....0...............(.....4........(......-.r...p.....(....(....s....zr...p.....(....o....(.........(.....s\|...%o~...%~

C:\Program Files (x86)\IkCWSTWLLRQX\libzdtp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	575720
Entropy (8bit):	6.4118078561661545
Encrypted:	false
SSDEEP:	12288:FoblSYniV7pA1yJVyfI1+RZSihzvjZh2Tx4UTFAzmp4ZZPy1KlU1E:sfI1+RZSiz2VlTF+XHlU1E
MD5:	82DE25B17C3B9D6BB253B6BE7AD2FEA1
SHA1:	6F6BCF23753F161D4DE444978C3EBC003D361B2D
SHA-256:	165FC9F929853B4AE8603BB0C7807456B99871A7C8E9078F95D954C466A7172D
SHA-512:	71EA0FE18F1EBDA98067460E6661FC108E7116E71651B0D05FB8365BDA92E1DBF02B89D20DF6B47C7557AC52877ED8EE503373164079C0F5C62EBF16439867C4
Malicious:	false
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$....................r.i....r.k.I...r.j....c.....c............X,_........................................n....n.....n.g..........n.....Rich...........................PE..L.....(e...........!.....v... ............................................... ............@A........................@...........x.......X...............P,......lJ......p...........................p...@............................................text....t.......v.................. ..`.rdata..\l.......n...z..............@..@.data....c.......(..................@....detourc.5...p...6..................@..@.detourd$............F..............@....rsrc...X............H..............@..@.reloc..lJ.......L...N..............@..B........................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\libzdtp64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	682216
Entropy (8bit):	6.095070464124169
Encrypted:	false
SSDEEP:	12288:rhqnA1JpofoqtokijtH2OMoVTP94CCIKGJToFTz/goFZKk:VqnALpPqXq92bEx4CCIKGJToFTz/gox
MD5:	3D7564C3B97E0DCC859CE8FAE51BF196
SHA1:	F6588DAA615A45E375AB4CD8153A3D9BBDC476C6
SHA-256:	73D11EF506C2282DBD45C4758F6C6B1352C596B1EC684BEF30778965D0774F1B
SHA-512:	C6021111CA8F0B8BBD111F85397C0F91DD2423B9168711296B484190CF5C43CABE6215AFE4533881F0F285FBB201D4974D7343E92F33681B1983BB1770110246
Malicious:	false
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........C".."LA."LA."LA...A."LA...A-"LA...A."LA.KH@."LA.KI@."LA#..A."LA.JO@."LA.JI@."LA.JH@."LA.Z.A."LA.Z.A."LA.Z.A."LA."MAd"LA.KE@."LA.KO@."LA.KL@."LA.K.A."LA.".A."LA.KN@."LARich."LA................PE..d......e.........." .........*.......^..............................................9.....`A................................................d...x.......X.......PF...<..P,..............p...........................0................ ..x............................text............................... ..`.rdata....... ......................@..@.data........0...F..................@....pdata..PF.......H...d..............@..@.detourc.h.......j..................@..@.detourd@...........................@....rsrc...X...........................@..@.reloc..............................@..B................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\lockkrnl.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	628184
Entropy (8bit):	6.631864802737484
Encrypted:	false
SSDEEP:	12288:Q9tUcJqS8DI9baOCmIJkPI9VYxPmb3pJ3xW2orMvM79G:GWKqS4OjlPUkmrpzWdSM79G
MD5:	BFF0CE8D5C44994EF19F63D63CC29EEB
SHA1:	B2837190927EE952721DBD5127C426D28FED9230
SHA-256:	08C6DDD72CD481672476625BAB435993F2F0C85F835B0313C593F46C49DE6781
SHA-512:	F527BB56DA57CA6BACDBA7871D65E48CA6ADEFE7F61240D766A6881C301B63C60063A09FA73E8BC64F40A01AD038B446B660A8ABC7719B84F1C6FE3654551420
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........<W..]9X.]9X.]9Xh-:Y.]9Xh-<Y=]9X.5<Y.]9X.5=Y.]9X...X.]9X.5:Y.]9X.5=Y.]9X.5<Y.]9Xh-=Y.]9Xh-8Y.]9X.]8X9]9X)40Y.]9X)49Y.]9X)4.X.]9X.].X.]9X)4;Y.]9XRich.]9X........PE..L....k%b...........!.....^..........=X.......p......................................c.....@.........................`................0...............V..@?...@..8F..pp..p............................p..@............p...............................text....].......^.................. ..`.rdata..jy...p...z...b..............@..@.data....8.......(..................@....rsrc........0......................@..@.reloc..8F...@...H..................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\mobileflux.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	117064
Entropy (8bit):	6.436398487030181
Encrypted:	false
SSDEEP:	1536:pxNcrXn306zvccqtaGYvPCa/I7206aawWKxocUoiZw+BpQR9oLMm:pXcD30gccqtanCM0Wwiw+BpQR9oL
MD5:	80907BE35290D47A8C6DF50A0B44DECF
SHA1:	DBDDA59DD78716AD28FD37BF2619FC183D27CAE0
SHA-256:	4C4853E4F3990FFD0B3D6EB1436A885559564C1065C26490B777EC9D3586A5C4
SHA-512:	09D05C3133569548F4F231F0E06F6F29D57195C927B908F973CB05ABDE6214CA1E07399CB32EA5EC02635D81409B2A8F8F6BDA21F6B51B2A02115C2DF95B3B88
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)g..)g..)g.. ./.8g.. .9.Mg.. .>..g......:g..)g..g.. .0.!g.. .(.(g..75..(g.. .+.(g..Rich)g..........PE..L...%..S...........!.....,...\|......H........@.......................................O..............................P.......4u......................................0B..............................._..@............@...............................text....*.......,.................. ..`.rdata...A...@...B...0..............@..@.data..../...........r..............@....rsrc...............................@..@.reloc..~...........................@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\netmstart.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	171592
Entropy (8bit):	6.633100643329799
Encrypted:	false
SSDEEP:	3072:2g5d8g4gNv+wAGzpjdNwCR5t9Owr5HQ6UnsaP5YCnF+wFxDA:xDRpSs5t0u5wbfQ6E
MD5:	FF07224F63F62ECC5C6F2DED09DEB0AF
SHA1:	D3ADF969B20A3E42032E60A87DBD69834A748C1A
SHA-256:	A9F37F82413889A66F7063991F5C2E6DBA05A35A245891039204A478DE318357
SHA-512:	92B763A682C9F479F539AA945F245940351983EC04829FB6D614BB7ABCADE60E2205244C583F63547CF83F4819503529FF01411E08C9CBA26972222D2520AA4D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..X.y...y...y...+-..y....<..y......y....-.y..5....y...y...y....#..y....;..y...+=..y....8..y..Rich.y..........................PE..L....].[...........!................F.....................................................@.........................`...........x....p...............f...7..............................................@...............4............................text............................... ..`.rdata...N.......P..................@..@.data....L... ...(..................@....rsrc........p.......8..............@..@.reloc...".......$...@..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\np360SoftMgr.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	243944
Entropy (8bit):	6.56760832272308
Encrypted:	false
SSDEEP:	3072:YdtvVq01U5wXzfoUEwDTw3lCovmHDBYOfdv2xJ82wEdl/NPgqddBumr5365mwkq/:yNI0O4awI3AYqYEv2QIdZTJJYD1Y1a
MD5:	FA85435627D31663BECB82EFFDFBE2BB
SHA1:	C3D9EEA92EF90E652F500A1F900DA4E20A010C2A
SHA-256:	7E0343BC0108526442E8B3FE7E538272FA6240E425BD8F318924573B59BD9DFB
SHA-512:	7DA0E76E88D8E78D23E7E6BE0A184BF52DF5032113DFEBE087C3463AD990BE38CD4FD34586CCD367B381AE749F16E04573CF91E4B3D7A235A865D175FAACBDA8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................f.*......)......?.......8......}........z.....6.............(......-....Rich...........................PE..L....6.e...........!................3.....................................................@......................... G......\:..........h...............P,..........................................@...@...............<............................text...x........................... ..`.rdata...x.......z..................@..@.data....D...P.......<..............@....rsrc...h............T..............@..@.reloc...-...........\..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\npaxlogin.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	404296
Entropy (8bit):	6.509440609680588
Encrypted:	false
SSDEEP:	6144:iwa9e5G4aES0Qux3nNj43ziT7U2mSBzRD44shPBTLaqqDL6UbwHUu:Y9exL3u0U2pBzm4sxBTrqn6Unu
MD5:	630AE5740C702AF919BAED414DE8CFE3
SHA1:	26A50EFF049B2DBC24BE11411032172E82B37B04
SHA-256:	C3F08B4843DAF466148EE99DBD0D300B2A92BB695FCDE001E288189A3582300E
SHA-512:	A714A6F13CE33D8EC31772F180F611C491110D438019D4FCD88F2EB114B41FBD28878B8B9C6BA723D892405DC825917EF1D4868FFB66069ABE49E5AF286F491F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t..,t..,t..,}.\|,y..,}.`,n..,}.f,o..,t..,h..,}.v,...,}.q,...,}.g,u..,}.a,u..,}.d,u..,Richt..,........................PE..L...[AVS...........!.....N...................p...............................p............@..........................x...... f.................................. 5...s..............................8...@............p..d............................text....K.......L.................. ..`.orpc...3....`.......P.............. ..`.rdata.......p.......R..............@..@.data....Y.......:...\..............@....rsrc...............................@..@.reloc..hc.......d..................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\ntvbld.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS-DOS executable PE32 executable (DLL) (native) Intel 80386, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	60896
Entropy (8bit):	6.847633229504993
Encrypted:	false
SSDEEP:	768:NnCuEmXB5UMI3nhKrbZCWg/0/NC8hUDVsa0T1zj9KyhaMQNDG0uKjKj9MPgkz:N7Rx5Ulll8/H+x0T1zj9lHeMy
MD5:	690612154E7E5233AA980016CEAEDEDD
SHA1:	9B16E2F3D799EA506AA6A8F53FA4DEB36D73F5D4
SHA-256:	FFB81D34A14B5837AC713657F7892E790F85564BC2BA792025B0F9E9E0959AD7
SHA-512:	1F93AF0CA40DB562F7ECDBF19A0D899044BCF1F181B03E57E6B6F2C72F532652798023612BE9DEFE6261D631D10898D30ADB28EEFF922B72734B4DB27189C210
Malicious:	false
Preview:	MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!........h.T.....................q.......q.......q.......q.......q.......q.......q......Rich............PE..L......a...........!.........\......2=.............p................................s`....@.........................p...........(.......h...............H?..........................................0+..@............................................text...v........................... ..`.data....F..........................@....rsrc...h...............

C:\Program Files (x86)\IkCWSTWLLRQX\pluginmgr.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	171848
Entropy (8bit):	6.451554967739461
Encrypted:	false
SSDEEP:	3072:NQbFXbsJHCPNUzpNd0hq6pPyNVD/fAudYMi429OYHUMu73zE55C8f:atWpnztVLffdYLN8YHa7w
MD5:	9828C8A355EA0F393260D6E3F7D511E5
SHA1:	DC587D4215DC083A35E4BBEE095FB3FB07A73C33
SHA-256:	B0D6D85D02E7650E03AB9AD04E90341EF6F5421DDC2AAA7AE65692944C298671
SHA-512:	178D1AF5ABB116762C37714F2C142DB02BE9AF8B0C9BCD4948DE122583A9C815E1AB1F709E3167A096947CCCCD6ABEDC4BAB7ED405D207F097BD35640926205A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........xL.+L.+L.+..+M.+E..+^.+E..+1.+E..+u.+k..+].+L.+..+E..+].+E..+M.+R..+M.+E..+M.+RichL.+........................PE..L...P.LS...........!................D.....................................................@..........................2..M....'..x...................................P............................... ...@............................................text...'........................... ..`.rdata...S.......T..................@..@.data...HU...@...,...(..............@....rsrc................T..............@..@.reloc...#.......$...^..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\probe.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	304640
Entropy (8bit):	6.443933218835315
Encrypted:	false
SSDEEP:	6144:1AXDdMpEeHyH/D1kApvwp+ZniFARcRdhAGXPR:1Az6WeHyfDOAdwp+doARcRdh5Z
MD5:	BB752561CE0859324FF01369BA8D25CC
SHA1:	8C42AA1FF9060E58CFFD0EE9997DF134FB3E8739
SHA-256:	A243D55655789EF26972546B7DC9723953564F52AE1C46087CCC2DB96F5B8D83
SHA-512:	0C493C6868F4E2D90E3FCD6B71116769F2FA2F61740BCB9671B1DEEFC4628BE05E4441CA2008F6AD3F72BAE7C14028A7565CC2FBE68478E620F3CF9418357182
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&PLYb1".b1".b1".kI..s1".kI..^1".kI...1".E.Y.o1".b1#..1".kI..n1".kI..c1".\|c..c1".kI..c1".Richb1".........PE..L....r.\...........!.....`...........?.......p......................................Cd....@.........................@%..B...X........p...............n..h7......@#...r..............................(...@............p..d............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data....6...0......................@....rsrc........p.......2..............@..@.reloc...0.......2...:..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\qroscfg.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	138056
Entropy (8bit):	6.637936005523512
Encrypted:	false
SSDEEP:	3072:LKDfRbUTKLoDy1wSSH/2Lq62enAhXx2+EKI:KJITHu1wZf2Lq62UAh6
MD5:	F62317FC61CA698D45A54C0F7A8A78B8
SHA1:	F61D256EA3E3DD85CE7C44DC61AACC93E720F692
SHA-256:	59DC54DD624E26D07EE8A908476EE67DCC3B6BA690F566C30B5522B6DCB8EE85
SHA-512:	C06E046EDB18EE40D63411AA689280A73EBBEF3CE6977C51F629C43E6A6314895BCF2270E43CB1D9DD847B33874BC812778ACCEC07ED0FBFB9791556027FFCAD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./.j&k..uk..uk..u...ui..ub.uz..ub.uR..ub.u...ub.ux..uk..u...ub.u\|..ub.uj..uu.uj..ub.uj..uRichk..u........................PE..L.....,S...........!.....N...................`...............................P.......T....@.............................L...\........ .......................0..T...0b..............................8...@............`...............................text....L.......N.................. ..`.rdata...k...`...l...R..............@..@.data....A..........................@....rsrc........ ......................@..@.reloc.......0... ..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\qutmipc.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	170856
Entropy (8bit):	6.55483314591404
Encrypted:	false
SSDEEP:	3072:4JJiNkByXIzFu3wK672soO82qUyleRR2v6eY8lMnu+wqH6F3:477yIzFfKTsS2qUKeXC5lRR
MD5:	7EE49A57339ABCC35FCDE25D3F5EE8D9
SHA1:	7A7F471DADD973CA57C79C43D93828B4496570E8
SHA-256:	DC477A4B41CA92D94CB7092B458F35DEF2EF6F9A0B23A237A363E341E22AEABB
SHA-512:	F978F6C882D80CFD87B2EF75EBB1C18C9BFB6759D28C0F503395217373AE241E5B08212D4D42373F6B94AFFBF775959E06BD1CAD5D09C488DC139906A0D4AB4B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$...`..R`..R`..Ri.]Rk..R.BRb..Ri.ARr..Ri.WR...RV..Rb..RV..Rc..Ri.GRq..R`..R...Ri.PRZ..Ri.FRa..R~.@Ra..Ri.ERa..RRich`..R........PE..L...f..]...........!................K.....................................................@.............................a............................f...4..............................................................d............................text............................... ..`.rdata...O.......P..................@..@.data....n... ...(..................@....rsrc................8..............@..@.reloc..<#.......$...@..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\qutmload.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	111336
Entropy (8bit):	6.7222941004358425
Encrypted:	false
SSDEEP:	3072:PTxwTSQCdxm/78XLv6JYZeD9GIn+uowP0T:PCzCeeeYAD9E5T
MD5:	8719E73BC84D506FE7F0D367AE46ED20
SHA1:	D60A1FF7B2478ACDA7C5C1730E0B963594311FB9
SHA-256:	C110E1FF4F233669F1E035129E137ACED1A3632D17A8302502D160DC16FA9AF0
SHA-512:	AE00044E9EE7B5AF66105067877AFD68D79ECEB6C945CC07F390D15A2E1C0832C578146E6B0657FD8A29F865EC6DB78DEFEB7C1BA7E3AF0D1427EFD22A67F8B8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........z...z...z.f.'...z.....z.......z...{...z.....z.....z.......z.......z.....z.....z.Rich..z.........................PE..L...Z.Xd...........!.....Z...........A.......p...............................`............@..........................X..[...TM.......0..................P,...@..t... ...............................8%..@............................................text....Y.......Z.................. ..`.data........p.......^..............@....rsrc........0.......d..............@..@.reloc..f....@.......j..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	691760
Entropy (8bit):	6.65005121490335
Encrypted:	false
SSDEEP:	12288:z9dSp9WkHCGswmfwHaG3qNeNCGWmQ47/KkRjDMfZVt1UE3HZyr9oUTB2O:Ra7HCXwmfwHRI+HWmQ4HRjDIZVt1UE3a
MD5:	938C33C54819D6CE8D731B68D9C37E38
SHA1:	5DEBC5AECEA887D17E342E3651006E1DB351034F
SHA-256:	E705895392ACD9768F413E35545C6581B3BAC8C05DCE97BC9AF6A37BE7CB7DE3
SHA-512:	16DEAF3B8C9A29B73D6530474F2A0BF5AC756D44A04D2468464FB78C9048CA9F1E1EBBCC91ADFC74963B7083B0381A47F76C70BADDEB44026C969125EA1C929A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe, Author: Joe Security
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c..........................................@.................................6............@...............................-...p...~...........:..0T.........................................................................................text...P........................... ..`.itext..t........................... ..`.data....5.......6..................@....bss....le...............................idata...-..........................@....tls....8................................rdata..............................@..@.reloc.............................@..B.rsrc....~...p...~..................@..@.....................:..............@..@................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\FLIEAC

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	2713088
Entropy (8bit):	7.9358560764847
Encrypted:	false
SSDEEP:	49152:gCE0mvBnEwvJm7T8UyHNzeBBHKZlYU13/1wUqq7vf2h0Vw:gCZmvBEqUyHcclt/mUCOa
MD5:	C625FE50C8CBC877CBFAF1D5212F02C0
SHA1:	90763CBEB446C7638F80851E55AF9976285DC56C
SHA-256:	F8890DFA4609D9CB2CA685339468C5256356066CF91AB13C9A771A3B8A566D12
SHA-512:	898703B75D27A9EE5055965BE16D7DEFA482A4199D6C008E539A0102230743AD4540945B76E78804F4CFA99D3DE79B9584D91F6C74C3FF2E6B8F4CC09E7F472C
Malicious:	false
Preview:	...SLSSSOSSSPPSS.SSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS[SSSA..AS.J...R..................................FFE.SSSSSSSB.....t5..t5..t5..x5..t59..5..t5y.~5..t5...5..t59..5..t5..u5..t5...5..t5..t5..t5...5..t5..p5..t5......t5SSSSSSSSSSSSSSSS..SS.RLSd..SSSSSSSSsSA.DRISS.SSCSSS3.S.E.SS#.SSC.SSSSCSCSSSMSSOSSSSSSSOSSSSSSSS..SSOSSSSSSMSSSSSCSSCSSSSCSSCSSSSSSCSSSC..S.SSSSC.SCMSSSSSSSSSSSSSSSSSSSSSSSSSS...SGSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS....SSSSS3.SSCSSSSSSSOSSSSSSSSSSSSSS.SSs....SSSSS.SS#.SS.SSOSSSSSSSSSSSSSS.SSs....SSSSSCSSSC.SSOSSS.SSSSSSSSSSSSS.SS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS....S....FJKH

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\HipsdiaMain.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58368
Entropy (8bit):	6.398722888372975
Encrypted:	false
SSDEEP:	1536:qjw1c0DJ1xDL8lCXy60KlCXy60vcbvM1id4xSu:T1HPxD2Cj00Cj0C00WxS
MD5:	56867EECC2042A0FD681F3B90D365A16
SHA1:	021DAC119F8E115E6DF308DB85BC8760078D9719
SHA-256:	48F8313380BC6FA33172888B8FD9874A6ED5465213BACB9F8D5C2BB3AB37BAEE
SHA-512:	EBB40D1E1A7F6B9E9480E544A67C9383D53A708547ACBA787BFD7C5699E491EAD7FAF714C5D84407B3D9A1DD2051205E0A299EAEECEB44422E3874C5E55CC65A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........FJo..Jo..Jo..%.U.Ho..%.W.Oo..%.c.Ao..%.b.Ho..C.Z.Oo..Jo...o..%.f.No..%.R.Ko..%.T.Ko..RichJo..........................PE..L...83^f...........!.....2...........9.......P............................... ............@.........................@...]...L...P.......................................................................@............P..,............................text...40.......2.................. ..`.rdata.......P.......6..............@..@.data...............................@....reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\PackageMgr.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	107120
Entropy (8bit):	6.416041804489009
Encrypted:	false
SSDEEP:	1536:ABHJ2sevEPtUiDHPsG78SkqRsEKk2UaWD+Ug1phiaeBvNdiizK3xg+rd3XjxxyhS:eHAR6tHDp/acgrItvNdiizK3xg+FXOS
MD5:	773D6EC38151B301FB8E45B4043E2E9F
SHA1:	475A42DD7FF0417D6826187F37AA3B5FFA65AE50
SHA-256:	E15E52A68BA167C0E6683EAFA3102079BBD0262EF5BF1005FE5A3B492374F66A
SHA-512:	FFDEEA69581B7C25CF5DC83A9803E94AB83D6C19254F5DE474240DAD3B630386D8D401B7A5EA25F97B1BF068D95266D53AD6324362E7CF94B1F326DAA9B5A1EF
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......L.,7.iBd.iBd.iBd...d.iBd37Ae.iBd37Fe.iBd.0Ge.iBd37Ce.iBd37Ge.iBd..d.iBd..d.iBd..d.iBd.iCd.iBd.7Ge.iBd.7Be.iBd.7.d.iBd.i.d.iBd.7@e.iBdRich.iBd........................PE..L.....3b...........!................(...............................................&.....@..........................=.......>..,....................p..p2......$.......T...................d...........@............................................text............................... ..`.rdata...P.......R..................@..@.data...$....`.......:..............@...minATL.......p.......F..............@..@.gfids...............H..............@..@.tls.................J..............@....rsrc................L..............@..@.reloc..$............^..............@..B........................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMAVProxy.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	99952
Entropy (8bit):	6.458473763443854
Encrypted:	false
SSDEEP:	1536:ZAUmWga/j5/IEHE2BzIfjwpDvdxeR1Ay01A4F1519hTnZmjjxy:jm+JrHElE9SRuy0hFX19hTZmM
MD5:	D902AF6BDCB8F3D47CC7A26B7F5AF840
SHA1:	B42E2C429F60551CAFDD92F5024DA7EDEC1270EB
SHA-256:	ADD79DE18ECBDEEC06D9765B2308FDBEAB3F788382A07D6235B614CA58BDA2B8
SHA-512:	1D55DC22AD3317622C3AE502B4B329B25DA6EB03D5FE8D2F4F7319110A196CDF08BD5E5DBB6322D6FC12B3C4472C629F9F64523FB23928E0433F96D0C8098911
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...J...J...J.......J...N...J...I...J.g.....J...K...J...O...J...N...J...L...J...K...J.ys....J...K...J...C...J...J...J.......J...H...J.Rich..J.........PE..L...!8.d...........!................1...............................................v.....@..........................;..T...T;.......`..`............T..p2...p..t...4...p...............................@...............0............................text...%........................... ..`.rdata...h.......j..................@..@.data........P.......8..............@....rsrc...`....`.......<..............@..@.reloc..t....p.......@..............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMDns.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51312
Entropy (8bit):	6.588801090147588
Encrypted:	false
SSDEEP:	768:gmaAkOI8/UgAXuuMnw415frUK5yPPTnDG3318RU7yw2MvZDGjENAMxaJ:gmPNN7wU5frbcba318aJjjxaJ
MD5:	BF125A12E9CE8568AADD6A9EE11C696D
SHA1:	4B8CF25506F5729D485171DECAA152B32EF2AFBF
SHA-256:	72C9E45E029115541AEBA55243BED56CCB5E594E50CE26DEFDE76D35B5B892C4
SHA-512:	B2FDCE478034312D7C7911F83E5A56DA505F9D5FF351CA74A8718B4256BB91DCBF341A268349DC992C7232A9B012BD986224BD650F7141261F8D38E9DCC43318
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T...T...T...].f.X......._.......W.......B.......P....;.U....>.]...T..........v......U......U......U...RichT...........................PE..L....1.d...........!.....H...R......7L.......`......................................qi....@.........................`...4...............X...............p2......p...p...p...............................@............`..d............................text...3F.......H.................. ..`.rdata...7...`...8...L..............@..@.data...\...........................@....rsrc...X...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMEventBus.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92272
Entropy (8bit):	6.543211290485113
Encrypted:	false
SSDEEP:	1536:5MUmmeVWAcHeFzyWQ+lh5W0pkw01pPafkNA0tDq3NnqFBjxxP:5MUsVF6eFvPPWBw01ofkNA0E3NnsBj
MD5:	23E97B1438152A4328FA97552F8B9AA1
SHA1:	F95D191EB1E6DDBCA5B20FAC2D0746FEBB0B2C12
SHA-256:	17CBD8771713566BEB469B300D34782986EF325582DCB575C4FB35C1FB397A9E
SHA-512:	FA497B5F806D851717C920755E245E65CDBF5CEFCE0975DA33A43C88005474F87D006FFEFE111A199ABF4FC68CA640CD18709FEDFC376FC64E6D6CC272D816A7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X\...=.N.=.N.=.N.E.N.=.N.2.N.=.NNH.O.=.NNH.O.=.NNH.O.=.NNH.O.=.N..ZN.=.N.=.N.=.N.._N.=.N.H.O(=.N.H.O.=.N.HkN.=.N.H.O.=.NRich.=.N................PE..L....2.d...........!.........z......e................................................[....@..........................&......('.......`...............6..p2...p..`.......p...........................8...@............................................text...}........................... ..`.rdata..VS.......T..................@..@.data... ....@......................@....rsrc........`.......$..............@..@.reloc..`....p.......&..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\TDPCONTROL.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1063616
Entropy (8bit):	6.674869382282474
Encrypted:	false
SSDEEP:	24576:2ODivXdRxWmQOhfbV5l7kZLWfGPeu/PUw6WmARlXDMmH6PBzT/Cn+m4q:2OuvbfGZGGKJT/Cn+Fq
MD5:	4FF45827EC92E40935F9939142CD40DC
SHA1:	CAD74928F3387E6BF28C3625803706061E956B34
SHA-256:	012ED8D16E9F7586FE44C0AFFE5BEA6FF68F27231A6526D439643869A103E434
SHA-512:	A3DFE7976E5FFB4BA0C68E218C0924568D343E7937ABB50785107DE5E0ADC11AD58A86E02FABB455845FBE8E545E48B57A67EB647C664390ED521D255FF3BEFE
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...~/._.....................j...................@................................. ...................................{........3.......................@...........................................................................................text...0z.......\|.................. ..`.itext.............................. ..`.data...D...........................@....bss.....e...@.......0...................idata...3.......4...0..............@....edata..{............d..............@..@.reloc...............f..............@..B.rsrc................V..............@..@....................................@..@........................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\TDPINFO.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	7.484270190239562
Encrypted:	false
SSDEEP:	768:tUqX/E3rJA4ZX6xUrLGwk9xAlvcuHnYoq7MNC3Il:tUc/+vKGnax8ESY17WkI
MD5:	63F6D9FECB240388D69CB668CFE50C00
SHA1:	2B67BB8AA45A9D0383E76F15E631C1131B28BB1E
SHA-256:	678D6ED15F6150BFD5BA8E823CF877C32BB492E8557E107FAC77143DAD3724F1
SHA-512:	176B096493206D2DADB17D778E959855DEEF0EC8D5343C09790CA6C067A338ECE44138FA9081888CAA2228A041D2A8C71B085AD8FEFAFE479505F667F6D2B7E6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#;\.gZ2.gZ2.gZ2..F<.rZ2.Q\|8..Z2..Uo.bZ2.gZ3.7Z2.Q\|9.sZ2.gZ2.fZ2..E9.eZ2..E6.fZ2.RichgZ2.................PE..L.....lf...........!.............p..................................................................................0...l...........................................................................................................................UPX0.....p..............................UPX1.............v..................@....rsrc................z..............@......................................................................................................................................................................................................................................................................................................................................................................................................4.21.UPX!....

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\TDPSTAT.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	388808
Entropy (8bit):	6.5956896905460125
Encrypted:	false
SSDEEP:	6144:B9su6Bohl2JJmgk1G8M0uQoRkQsKwxBF6CaSIU9ILZxxB5ARUWvAX+E:BSohl2JJmgk1U3QMkQsTx3paSIUixGRI
MD5:	B8253F0DD523BC1E2480F11A9702411D
SHA1:	61A4C65EB5D4176B00A1FF73621521C1E60D28EA
SHA-256:	01CEE5C4A2E80CB3FDAD50E2009F51CA18C787BF486CE31321899CCCEDC72E0C
SHA-512:	4C578003E31F08E403F4290970BC900D9F42CAA57C5B4C0ACA035D92EDC9921BF4034FC216C9860DA69054B05F98DADE5F6E218AC4BEE991BC37A3EF572FE9A0
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...8..^..........................................@..........................P..........................................c....p...........N...............<.......g..................................................Ts..P............................text...T........................... ..`.itext.............................. ..`.data....).......*..................@....bss....<X...............................idata.......p......................@....edata..c...........................@..@.reloc...g.......h..................@..B.rsrc....N.......N...d..............@..@.............P......................@..@........................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Toolbox.ico

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	MS Windows icon resource - 6 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	104864
Entropy (8bit):	3.9053747079480448
Encrypted:	false
SSDEEP:	384:0ePYp7777777777FaTLcbLLLLEW/+Z+Z+I1m5aaaaaaaaaMsJju5wU4XcG8jUEPE:n7sAacGgUEc
MD5:	6CCA9307DEAF7B167C92BBE3D2AC59CA
SHA1:	FE2A51B84BD203BA0AEA43D50D664B1632F3B0B0
SHA-256:	771E0C7FF0514650DF7C62E237A8D8DDFA2D156A8B18473AE647E6684A483178
SHA-512:	C1E4639BCFF0C18713116973524E7527BEE31307C33AF2048F617CE0460580A2FEE88FF6E347F87C799AC990F4BCCB97A2FCEBCB82AD4A926EE95F211A033368
Malicious:	false
Preview:	............ .h...f... .... .........00.... ..%..v...@@.... .(B...;........ .(...F}........ .2...n...(....... ..... .....0....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v...w..w.........u...w..w..w..w..x.......\|...w..w..w...n...x...x...x...x...x...x...x...x...x...x...x...x...x...x...n...o...w...x...x...x...x...x...x...x...x...x...x...x...x...w...p...p...n..y...z...u...u...u...z...z...u...u...u...z...y...n..p.......p...s..w...w...w...w...w...w...w...w...w...w...s..p...........................m.p.p

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\UPSDK.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1165576
Entropy (8bit):	6.491752155251347
Encrypted:	false
SSDEEP:	24576:ptf4OLWmQQ3b6ZVtecP3Ufy/ilDqzybXIZ0xKHpWq0dGcz7msH0WQWmAdA7yJBzA:tLDlDgRGxKHpSJ28TU
MD5:	D75E14313FC8A0850F3190CE67509475
SHA1:	74474830BC0706E5C0A8B455A4E1B47D9F1DE741
SHA-256:	E5C711BDB99AB55EBD96B3636C7396566C98ACFFD03DF735A15F1E18936A718A
SHA-512:	A4260F1A9A77BC41FC54532BDBF51F831004767E08150BFF95374663930BBE4FCA81790AA4578C062674557A02A698EA798CFC00F2355F6B8FA71BF2915CBAAA
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......`..........................................@..........................0.......4...............................`..e....@..v........^...............A...p...Y...................................................C...............................text...x........................... ..`.itext.............................. ..`.data....".......$..................@....bss.....Y...............................idata..v....@......................@....edata..e....`......................@..@.reloc...Y...p...Z..................@..B.rsrc....^.......^...*..............@..@.............0......................@..@........................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\libcurl.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	333824
Entropy (8bit):	6.389952178495305
Encrypted:	false
SSDEEP:	6144:WyEhWbJNOcWd55OHSCw1ohITXVvrJGqdK2Dug6dGXLSuMAFi2TBfR:Wlu1IjOIohILJrc4Ezui2TdR
MD5:	EC9483F4B8C3910B09CAAB0F6CB7CD1B
SHA1:	9931AAA8E626DF273EE42F98E2FC91C2078FDC07
SHA-256:	4D9CAE6E2E52270150542084AF949D7B68300E378868165FF601378A38F7048F
SHA-512:	84B60FE3CD0EDE19933B37AE0EAEBA1F87174A21BC8086857E57C8729CEC88F9FEF4B50A2B870F55C858DD43B070FD22FFEC5CB6F4FD5B950D6451B05EB65565
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..S...........#................ .............$k................................. ........ .........................c.... .......`.......................p..\|$...........................P......................."..h............................text...T...........................`.P`.data...t...........................@.`..rdata..L.... ......................@.`@.eh_fram............................@.0@.bss..................................`..edata..c...........................@.0@.idata....... ......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..rsrc........`......................@.0..reloc..\|$...p...&..................@.0B........................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp100.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.297676823354886
Encrypted:	false
SSDEEP:	12288:koBFUsQ1H5FH3YUTd/df0RA7XkNvEKZm+aWodEEiblHN/:dFUsQ1H5FHdGKkNvEKZm+aWodEEcHN/
MD5:	D029339C0F59CF662094EDDF8C42B2B5
SHA1:	A0B6DE44255CE7BFADE9A5B559DD04F2972BFDC8
SHA-256:	934D882EFD3C0F3F1EFBC238EF87708F3879F5BB456D30AF62F3368D58B6AA4C
SHA-512:	021D9AF52E68CB7A3B0042D9ED6C9418552EE16DF966F9CCEDD458567C47D70471CB8851A69D3982D64571369664FAEEAE3BE90E2E88A909005B9CDB73679C82
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$..-`..~`..~`..~i.4~b..~{.;~c..~`..~...~..?~a..~{.9~a..~{..~P..~{..~Y..~{..~e..~{.<~a..~{.=~a..~{.:~a..~Rich`..~........................PE..d.....M.........." .........f.......q........cy..........................................@.............................................m......<....P...........=...0..P....`.......................................................................................text............................... ..`.rdata..-...........................@..@.data...0L.......8..................@....pdata...=.......>..................@..@.rsrc........P......................@..@.reloc..R....`......................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp110.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	661456
Entropy (8bit):	6.2479591860670896
Encrypted:	false
SSDEEP:	12288:akhiz9iVQi6mpiyMATITfluR3G1YdpTzYJQIbRdJN2EKZm+DWodEEt2L:WaQeIJN2EKZm+DWodEEt2L
MD5:	7CAA1B97A3311EB5A695E3C9028616E7
SHA1:	2A94C1CECFB957195FCBBF1C59827A12025B5615
SHA-256:	27F394AE01D12F851F1DEE3632DEE3C5AFA1D267F7A96321D35FD43105B035AD
SHA-512:	8818AF4D4B1DE913AAE5CB7168DCEC575EABC863852315E090245E887EF9036C81AABAF9DFF6DEE98D4CE3B6E5E5FC7819ECCF717A1D0A62DC0DF6F85B6FEEB8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.:..si..si..si~`.i..si..ri^.sis.i..si...i..sis.i..sis.i..sis.i..sis.i..sis.i..sis.i..sis.i..siRich..si................PE..d......P.........." ........."......<........................................p......L+....`..........................................3......l...<...............0E.......=... ..,....(..............................`...p............ ...............................text...:........................... ..`.rdata....... ......................@..@.data...p.... ...:..................@....pdata..0E.......F...D..............@..@.rsrc...............................@..@.reloc..FJ... ...L..................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp120.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	660128
Entropy (8bit):	6.339650318935599
Encrypted:	false
SSDEEP:	12288:t2TOv4Zur4nRc4RwlG4xH2F+O+/i2UA3YyB2hxKM5Qrt+e2EKZm+GWodEEwIP:qRhxKM5U2EKZm+GWodEEw4
MD5:	0A097D81514751B500690CE3FC3223FA
SHA1:	7983F0E18D2C54416599E6C192D6D2B151A2175C
SHA-256:	E299B35D1E3B87930A4F9A9EF90526534E8796B0DEF177FB2A849C27F42F1DF2
SHA-512:	74639F4C2954B5959EB2254544BF2E06AB097219FC8588A4F154D1A369B0657176128C17911958C84ED55421FE89BF98C8ED36D803A07A28A7D4598DB88027CE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ca.=...n...n...n..)n...n...n...n.R?n...n..%n...n.R=n...n.R.n4..n.R.nJ..n.R.n...n.R>n...n.R9n...n.R<n...nRich...n........PE..d......V.........." .....@...................................................`.......H....`.........................................pU.. ....2..<....@...........G.......>...P.......X..................................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data........P...8...B..............@....pdata...G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	449280
Entropy (8bit):	6.670243582402913
Encrypted:	false
SSDEEP:	12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
MD5:	1FB93933FD087215A3C7B0800E6BB703
SHA1:	A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
SHA-256:	2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
SHA-512:	79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140_1.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31528
Entropy (8bit):	6.472533190412445
Encrypted:	false
SSDEEP:	384:R77JqjlI8icUYWhN5tWcS5gWZoMUekWi9pBj0HRN7RA5aWixHRN7osDhzlGs6N+E:R5D8icUlX5YYMLAWRAlypmPB
MD5:	7EE2B93A97485E6222C393BFA653926B
SHA1:	F4779CBFF235D21C386DA7276021F136CA233320
SHA-256:	BD57D8EEF0BC3A757C5CE5F486A547C79E12482AC8E694C47A6AB794AA745F1F
SHA-512:	4A4A3F56674B54683C88BD696AB5D02750E9A61F3089274FAA25E16A858805958E8BE1C391A257E73D889B1EEA30C173D0296509221D68A492A488D725C2B101
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..\4~.\4~.\4~...^4~.UL..X4~.Dz.[4~.D}.^4~.\4..v4~.D..Y4~.D{.O4~.D~.]4~.D..]4~.D\|.]4~.Rich\4~.........PE..d...W8.^.........." .........$............................................................`A.........................................>..L....?..x....p.......`..4....:..(A......p...@3..T............................3..0............0..0............................text...(........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..4....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140_2.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	193832
Entropy (8bit):	6.592581384064209
Encrypted:	false
SSDEEP:	3072:V7vC/HAiCsJCzwneNPXU7tm1hTt8KBDal8zg/0LwhORfewlMi0JHV:VTGAtweN85m1f8KBI9wfpsJH
MD5:	937D6FF2B308A4594852B1FB3786E37F
SHA1:	5B1236B846E22DA39C7F312499731179D9EE6130
SHA-256:	261FBD00784BB828939B9B09C1931249A5C778FCEAD5B78C4B254D26CF2C201F
SHA-512:	9691509872FDB42A3C02566C10550A856D36EB0569763F309C9C4592CAF573FBB3F0B6DC9F24B32A872E2E4291E06256EAE5F2A0DEB554F9241403FD19246CAC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........94..Wg..Wg..WgVt.g..Wg..g..Wg..Sf..Wg..Tf..Wg..Vg..Wg..Vf..Wg..Rf..Wg..Wf..Wg...g..Wg..Uf..WgRich..Wg........................PE..d...W8.^.........." ................p............................................... .....`A........................................ ..................................(A...........K..T........................... L..0...............P............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcr100.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcr110.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	849360
Entropy (8bit):	6.542151190128927
Encrypted:	false
SSDEEP:	24576:I+9BbHqWVFlB7s2ncm9NBrqWJgS0wzsYmyy6OQ:z9d7M3nS0wV
MD5:	7C3B449F661D99A9B1033A14033D2987
SHA1:	6C8C572E736BC53D1B5A608D3D9F697B1BB261DA
SHA-256:	AE996EDB9B050677C4F82D56092EFDC75F0ADDC97A14E2C46753E2DB3F6BD732
SHA-512:	A58783F50176E97284861860628CC930A613168BE70411FABAFBE6970DCCCB8698A6D033CFC94EDF415093E51F3D6A4B1EE0F38CC81254BDCCB7EDFA2E4DB4F8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........c.O.0.O.0.O.0.O.0}O.028g0.O.0?..02N.0?..0.O.0?..0.O.0?..0wO.0?..0.O.0?..0.O.0?..0.O.0Rich.O.0........................PE..d...n..P.........." ................l3.......................................@............`..........................................E.......1..(............... g.......=......8...`6..............................P...p............0...............................text............................... ..`.rdata.......0......................@..@.data...(q.......@..................@....pdata.. g.......h...(..............@..@.rsrc...............................@..@.reloc...".......$..................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcr120.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	963744
Entropy (8bit):	6.63341775080164
Encrypted:	false
SSDEEP:	24576:lQ39+j16xw/86yY4ZOVqSs8cKPkb3vi4vwW1kCySQmWymTXY:S3tPDLfRbiow9Cyo
MD5:	E2CA271748E872D1A4FD5AC5D8C998B1
SHA1:	5020B343F28349DA8C3EA48FB96C0FBAB757BD5C
SHA-256:	0D00BF1756A95679715E93DC82B1B31994773D029FBBD4E0E85136EF082B86A9
SHA-512:	85D6BCAAF86F400000CF991DA1B8E45E79823628DC11B41D7631AA8EE93E500E7DA6E843EA04EDB44D047519DABEF96DCB641ADC2A7B3FAA5CD01E8A20B1F18E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F=&^'Su^'Su^'Su..u]'Su^'Ru.'SuSu.u.%SuSu.uo'SuSu.uh'SuSu.u.'SuSu.u_'SuSu.u_'SuSu.u_'SuRich^'Su........PE..d......V.........." .....j...:.......)..............................................+l....`.....................................................(............@...s...v...>......8...p................................2..p............................................text...eh.......j.................. ..`.rdata...9.......:...n..............@..@.data...hu.......D..................@....pdata...s...@...t..................@..@.rsrc................`..............@..@.reloc..8............d..............@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\oDayProtect.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57456
Entropy (8bit):	6.555119730119836
Encrypted:	false
SSDEEP:	1536:h4WOg3TER/nhU8Vbbb8O0WWVYgaatjJxl:h4WOg3TSr78O0WWVYg5tJ
MD5:	00FCB6C9E8BD767DDE68973B831388E9
SHA1:	2D35E76C390B8E2E5CA8225B3E441F5AC0300A02
SHA-256:	1CC765B67D071060C71B4774C7745575775CE46E675E08620E5BAB3B21B2CE79
SHA-512:	2B48701B5F4B8F1EB7FC3EB9A76370883FE6CAF45D92DA607AB164F93E0EED65D6C1369D4EA974A112C902FD0F5BAF06E7611ECB9B50BE3A599F261624B33BA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[..]..............3.....M......M......M......M.......{n......{k............................._.......7............Rich............PE..L...m>.d...........!.....`...R......._.......p............................................@...........................................P...............p2..............p........................... ...@............p..\............................text...._.......`.................. ..`.rdata...4...p...6...d..............@..@.data...$...........................@....shared.............................@....rsrc...P...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\vcruntime140.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	101872
Entropy (8bit):	6.5661918084228725
Encrypted:	false
SSDEEP:	1536:RCKWZGuEK0mOLSTxoPl9GIcuZrxi4hXX9oix8H+NCIecbGShwZul:RFWY1WxgGStJ8H2CIecbG36
MD5:	971DBBE854FC6AB78C095607DFAD7B5C
SHA1:	1731FB947CD85F9017A95FDA1DC5E3B0F6B42CA2
SHA-256:	5E197A086B6A7711BAA09AFE4EA7C68F0E777B2FF33F1DF25A21F375B7D9693A
SHA-512:	B966AAB9C0D9459FADA3E5E96998292D6874A7078924EA2C171F0A1A50B0784C24CC408D00852BEC48D6A01E67E41D017684631176D3E90151EC692161F1814D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w.............t:..............................................................Rich....................PE..d.....t^.........." .........^.......................................................e....`A.........................................0..4....9.......p.......P.......L...A..............8........................... ...0............................................text...2........................... ..`.rdata...?.......@..................@..@.data...0....@.......4..............@....pdata.......P.......8..............@..@_RDATA.......`.......D..............@..@.rsrc........p.......F..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................

C:\Program Files (x86)\IkCWSTWLLRQX\yybob\vcruntime140_1.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44312
Entropy (8bit):	6.623047237297825
Encrypted:	false
SSDEEP:	768:vG3xRsJTKdiibUoT2zvivbXXyJWqWZ8DZX:vG7DyM22DiJMCtX
MD5:	9040ED0FDF4CE7558CBFFB73D4C17761
SHA1:	669C8380959984CC62B05535C18836F815308362
SHA-256:	6CC4315DACEB0522816C60678344466CB452426267F70C7FAAE925361674E774
SHA-512:	303143006C781260540E9D0D3739ACC33F2D54F884358C7485599DD22B87CCE9B81F68D6AD80F0F5BB1798CE54A79677152C1D3600E443E192AECD442EA0A2E4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j&=..Hn..Hn..Hn@..n..Hn!fIo..Hn.s.n..Hn..In..Hn!fKo..Hn!fLo..Hn!fMo..Hn!fHo..Hn!f.n..Hn!fJo..HnRich..Hn........PE..d....h.].........." .....:...4.......A..............................................?.....`A.........................................j......<k..x....................l...A......(....a..8...........................0b...............P..X............................text...t9.......:.................. ..`.rdata..P ...P..."...>..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..(............j..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\DAN_127.msi

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 936, Revision Number: {B27D822E-68C4-4CF6-961C-F62B0D119E2A}, Number of Words: 0, Subject: Windows, Author: ElLGDUGELFDK, Name of Creating Application: Windows, Template: ;2052, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 12 17:35:37 2024, Last Saved Time/Date: Thu Dec 12 17:35:37 2024, Last Printed: Thu Dec 12 17:35:37 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	4526080
Entropy (8bit):	6.5649194117879635
Encrypted:	false
SSDEEP:	49152:0omhaJBcvYnZ5iXuoRNeycFTznJ95U0zjjZVeZlPjgzixI+vGYRnAWNTWw5EQbhp:WABcveycl20iuW5CfTRWXpd
MD5:	7E49C843B9BE3C41508F60E1DF899C48
SHA1:	EDFD6BC81E67DBC9F2B513BC0404AB73FD0F7CBB
SHA-256:	EECAFC62E71A490B60B1C5A72F70794B15DB756AB879F2AA63307DFA6283367C
SHA-512:	CCADE37586A0F3C9E555ED9E68534271057363B8D4F0AA10003522972EAD59A875F39E5EEC257575EF94C0469E3DD7B377032F5BF409D4C9598A7D465A5D606A
Malicious:	false
Preview:	......................>...................F...........................................................................................{.......^.......0...1...2...3...4...5...6...7...8...9...:...;...........................................................................................................................................................v"..........................................................................................................................................................................z.......................4...7................................................................................... ...!..."...#...$...%...&...'...(...)...5...+...,...-......./...0...1...2...3.......=...6...8...K...9...:...;...<...@...>...?...G...A...B...C...D...E...F...I...H...J....!..\|...L...M...N...O...P...Q....!..S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\FNCUNPTNLBMW.DNA

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	204
Entropy (8bit):	6.524007625247223
Encrypted:	false
SSDEEP:	6:uXphPJHpYvKNvarzc7Wqhd/2NZ4xJH6R5KMEL:GuvKNvKcUNgS5Y
MD5:	3E08DF5CDDD1F234418DB3C19F4C9700
SHA1:	67898ADFFD834CE604643B8835F0700D5A0FF4E8
SHA-256:	F8FC4386A90F2C819E9CA03C7821184AC0E65457A6CDCDACC4C0E7F10034D267
SHA-512:	E6580EA95E54B5F9A387E23B1425C950AEE3C59CEF02229A5CF5FD48F4F0665B2F2DE5C76465F7E54938EE47F1ACCD5F0353BACDA98042625061844811828C5F
Malicious:	false
Preview:	7z..'...d...p.......<.........G...k.L..f&*.Q....H.:\.w.......M..9.v.z.ld...\|.......i...lO4...VJ.\.v\|,...?K{Sp..X.3q6..rX_.8.s.^..%......oZ.....p......$.....S.\.>7..#r...B.>..#....].......n......v...

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Gme.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	400480
Entropy (8bit):	6.6249170967240625
Encrypted:	false
SSDEEP:	12288:ke/EYk6LSMAROeK3nzAPSayAj7+fyJHbVJMs/ubUQ3Q/p:MQ7DAvhpGs/8UQ3QB
MD5:	CC4F1CDFA6A90B6152B8012E8C035DFD
SHA1:	011098BADE1BD47557147B8CF3BAF4A070CB9D7C
SHA-256:	7B9FF465FA54E5EDF69F0794D7CAF7ADC6D7B20534E6DA0181DC93DC062E7CCA
SHA-512:	0084BADEBBAC672904BD7E19019C2D86B4745DEA26229CE82E48E0A5134DF3FA42B4948C673B17432BFE14F13A82B0BAFF3B5D861AA4AB3A951AF40793780CE1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..N>.EN>.EN>.E.qXEM>.EGF[ET>.EGFJE.>.EGFME.>.Ei..E[>.EN>.E.>.EGFDEg>.EGF\EO>.EPlZEO>.EGF_EO>.ERichN>.E................PE..L.....rZ...........!.........*......?#.......................................P......j.....@..........................m.......^..........x................5......H3..0...................................@............................................text............................... ..`.rdata..d...........................@..@.data....q...p...6...Z..............@....rsrc...x...........................@..@.reloc..PM.......N..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\GmeApi.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	427104
Entropy (8bit):	6.602064716561835
Encrypted:	false
SSDEEP:	12288:d54WjgpIW+m/CbqwcAjoZOtjEipBiRuL9JK:avGPJbtjEY2uL7K
MD5:	50B836C0E21FD4EF3F6F6102F9162FEA
SHA1:	704834D4BE32AD186FD761E908CC0518AC2A8117
SHA-256:	8CFC18609E75074EB0FBF3C87C1B41E263DE503083A7EBBB00643E0F05A2920E
SHA-512:	B2C220F954A38B7EBC44FA60454CD8322A21714F1E3D593F32B7C4865113157965E1C8C0821F60F1865270FCB2529EBF8CDD32F1DE44A7626C0D0DB304C72644
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.p...#...#...#..T#...#..W#...#..F#Y..#..A#...#/V.#...#...#...#..H#:..#..P#...#..V#...#..S#...#Rich...#........................PE..L.....rZ...........!.........F.......c....... ............................................@.....................................x....@...............N...5...P..88..."...............................k..@............ ...............................text............................... ..`.rdata..r.... ......................@..@.data...Dm.......6..................@....rsrc........@......................@..@.reloc...Y...P...Z..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\GmeApi64.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	572512
Entropy (8bit):	6.263529853370218
Encrypted:	false
SSDEEP:	12288:Azb0JSwmBU/no1rNW23dImf/D/cnlu41T3ork5d:AH0JSwmko1rNW23df/D/cnlhp3d5d
MD5:	984829AFB3ED76FABCAB8AE4BE1FF15C
SHA1:	2498F20AB62E3061FB144C7CEAE5CF254D6C7095
SHA-256:	F257E86E42D7546C37AEABDC7BF1D00BC09E7B26D9AF4478302FF2B872187C33
SHA-512:	5270AE482E8C462B5360DD60C06D8757BE5F7E513A0A7BF993F3F088A67516AAA0A744CDBD034828D3AAF5E6EADAF630317ACF325B03E028398C7EAC12A97B04
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........BG@.....pC.....pR.....pU.L...........f...p\.....pD.....ZB.....pG....Rich...................PE..d.....rZ.........." .....F...:......,T...............................................V....@.....................................................x............p..Tf.......5..........pe...............................................`..X............................text....E.......F.................. ..`.rdata..Tx...`...z...J..............@..@.data............@..................@....pdata..Tf...p...h..................@..@.rsrc................l..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	572312
Entropy (8bit):	6.6114481461607175
Encrypted:	false
SSDEEP:	6144:KmuYzDRB54CwW2U0lY4woeFuA0TpxVQ8Y3Ew+zBsPO3erF7q0zoCiJbDjdxzF5og:Ju+469PqNYsBsPTziDjLbCEGne9Z
MD5:	5CC95EA39AB6D7751A1A85F832CCA011
SHA1:	387B60FE4F257BA8A0F5DA566709640F972EAA3B
SHA-256:	4BF5DD0ED84D6C7B4965628A22668F733C167427B20A4B56AE356205381B527F
SHA-512:	6E28E6D3D1A6BF4FB046A7F03F68FE27F8A7151465412EA4126AD3DD2A9DC9C89238923E858C644892D72D318CF2112C4AE60DAE363CC5EC41DEF1663BFDD101
Malicious:	false
Yara Hits:	Rule: Mimikatz_Gen_Strings, Description: Detects Mimikatz by using some special strings, Source: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll, Author: Florian Roth Rule: Mimikatz_Strings, Description: Detects Mimikatz strings, Source: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll, Author: Florian Roth
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^.^.?g..?g..?g.=Nf..?g..ac..?g..ad..?g..Yb..?g..Vf..?g.=Nb..?g.<Nb..?g..G...?g..Ya..?g......?g.!ab..?g.!ac..?g.>ac..?g.>ab..?g..ab..?g..Yc..?g.....?g.....?g.H0:..?g..Yf..?g..?f.5=g.!an..?g.!ag..?g.!a...?g..?...?g.!ae..?g.Rich.?g.........................PE..L....Enc...........!.....,...\|...............@............................................@.........................`p.......q.......0...r...........r...I......dK......p...............................@............@...............................text....*.......,.................. ..`.rdata...T...@...V...0..............@..@.data...D_.......$..................@....gfids..............................@..@.tls................................@...PlugImm...... ......................@....rsrc....r...0...t..................@..@.reloc..dK.......L...$..............@..B................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Hamster.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	249768
Entropy (8bit):	6.601810977306283
Encrypted:	false
SSDEEP:	3072:/0jvJ1SDHfvcFHDSU4/eebh4HT4dK62HPWA2F0T7z/LDdUjE2rRNq5N5EuXCRfC:/0jTSrMtceebhz32HPWnoBUw2/G5r
MD5:	2EA3ACA1D36D16F0699261F77EE6ECCE
SHA1:	31C6575F5EC4F48ED3939FD5484F4E3D5869D3DA
SHA-256:	12B2AAA9C7222B13E97A0870006CFC498134F7182009C49FAD0281A85D5CD386
SHA-512:	30057B3491807413603C5A4668D020A384548CE6F41BA9DE6C708C4BF052BE10113AE5AAF41697ACC2AB56E9674EE8DC4669584FA9F838A9359842038F82394E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.....U....9.U......U.*...U..T.'.U.....U.....U.....U.....U.Rich..U.........................PE..L..._wWX...........!................................................................,.....@..........................M..R....B..d.......l................5......8...`...............................@...@............................................text...o........................... ..`.rdata.."~..........................@..@.data....H...P...,...6..............@....rsrc...l............b..............@..@.reloc...,...........j..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HipsLogCenter.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	555240
Entropy (8bit):	6.523642703236138
Encrypted:	false
SSDEEP:	12288:RzJibra10t6DBAAxFhNngOsLOsZDvnCjN8d6HVilI5hKRPnQ0FbgB4e:CbzipngOsLOsZL38IKb4PQ0Fbje
MD5:	4B481EA28EC7B065AD6C7FE7674AA363
SHA1:	152FC3DA4A1DF717623E4D57476A1D72ADD7F610
SHA-256:	92AA7045E70E2BBB706DCD1A1D9B41026CFA06FEDF0E48EE0CAE63B8B80084F5
SHA-512:	08F8388322D3623F8DBC23DB60E0542B972754FEAB4071C0FC7382F9EBD54313A8A10E5EBAC9D72E5F4909B23A2FCB4114B44BCF47F3090B029DDEA27CFF21B3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\O..=!..=!..=!..E...=!.Kr...=!..E...=!..o...=!..E..b=!..E...=!..= .<!..E..=!..E...=!..o...=!..E...=!.Rich.=!.........PE..L......d...........!.........V...........................................................@.............................w............................L..P,...`..4C..................................8v..@............................................text............................... ..`.rdata..............................@..@.data...\........j..................@....rsrc................@..............@..@.reloc...Z...`...\..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HotfixCommon.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	180800
Entropy (8bit):	6.720835675786583
Encrypted:	false
SSDEEP:	3072:zQPGqss58Kg5dqBLQ8/90/qTQPOfb7+sH1buHv/c6R2Wmjgk4Kq2iSiTHa89B:zQPB4jqBLQ86qsPOf+8RuHXc6tmv4KqZ
MD5:	91D9E316BD0533C92BDE234131EC7AB4
SHA1:	86D1997382E3FE81AC27B88EFE33E1773D095518
SHA-256:	62BAAD0A128B580889091F015384410BD491F21BB101682557B034ACB28E00D9
SHA-512:	BDD41A900EB1299815CA24FD78EE5499F20C78C5E62CAF11934A5348836C557AB402DF1D75B4932AA6E322562C8CDEBB120FC74137ED9D693AE6719C44C5718F
Malicious:	false
Preview:	MZ......................@...................................x...........!..L.!This program cannot be run in DOS mode....$.......N .'.A.t.A.t.A.t..zt.A.tX).u.A.tX).u.A.to'.u.A.t.(.u.A.t./.u.A.t.9(t.A.t.,.u.A.t.,.u.A.tK&.u.A.tK&.u.A.t.(.u.A.t.(.u.A.to'.u.A.to'.u.A.to'.u.A.t.A.t.@.tX).u.A.t.,.u.A.t.(.u.A.t.(.u.A.t.(.u.A.t.(Bt.A.t.At.A.t.(.u.A.tRich.A.t........................PE..L....@W^...........!................................................................i....@.........................p'......x(..x........................7..........@...p...............................@...............8...x#..`....................text............................... ..`.rdata..tD.......F..................@..@.data...h....@......."..............@....detourcX6...`...8.................@..@.detourd$............b..............@....rsrc................d..............@..@.reloc...............j..............@..B................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HotfixCommon64.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	219200
Entropy (8bit):	6.255426513524174
Encrypted:	false
SSDEEP:	3072:n7pWDP71+xRSkTt9XFD6RAtofSUAfohtDanx51K6flyT9S9:1WDP71+xR7h9XFBtofStomfK69e9S9
MD5:	C64D91E0734622D550F578CAC023FE9B
SHA1:	9B5F47305F02ED862BE6A8E6F6D48647F9311E84
SHA-256:	9AA97B67D074D85CAFB29A0A561DFAA2416A283FC8A228B6904D63D16C8C463B
SHA-512:	FD419DE7FBC7C0B9F33CD340E2DEF67849DF628799FC0507DFEB6F77DD8681232B81216D082155278EC7D158E99FB480EEAC884A8962F410321F91A89D500CBD
Malicious:	false
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$........-...L.E.L.E.L.Er.^E.L.E.$.D.L.E.$.D.L.E..D.L.Et%.D.L.Ev".D.L.E.!.D.L.E.!.D.L.E.+.D.L.E.+.D.L.Ev%.D.L.Ev%.D.L.E..D.L.E..D.L.E..D.L.E.L.ERM.E.$.D.L.E&!.D.L.Ew%.D.L.Ew%.D.L.Ew%.D.L.Ew%fE.L.E.L.E.L.Ew%.D.L.ERich.L.E........PE..d....AW^.........." .........$...... .....................................................`.........................................0.......8...x....`............... ...7...p..T...PO..p....................O..(....'............... ......0}..`....................text...0........................... ..`.rdata...q... ...r..................@..@.data................x..............@....pdata..............................@..@.detourc.h.......j..................@..@.detourd@....P......................@....rsrc........`......................@..@.reloc..T....p......................@..B................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ImAVEng.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175728
Entropy (8bit):	6.544553321577818
Encrypted:	false
SSDEEP:	3072:ix5UgqxBe84iqhlPyKc4pquYWWM1qOrlhPzc8ylmyK5WodzzDi:i4pgbzTYWRZHrc9lNQzq
MD5:	B8FDC03B9B84A62C5C541524DCA2E723
SHA1:	5643ADAE63CA199F9C44A35F3B30947A0F8B6D21
SHA-256:	1F6F3DADCC4C3096EEBFB5CE5DB979755ABA5CEB9DB18E6CA6238F05B45E5F4D
SHA-512:	A31708C251967D484F242BE658E92E94D87671294CD2C959276EC3B739D46F3FC7D1140CC8F78640DBD9970EC2176633E67DD079A3182ACDCE0FA8A7DE366637
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.G...G...G...N..U...N..=...N..~...`a~.F...`ah.L...G......N..R...N..F...Y...F...N..F...RichG...................PE..L...2..T...........!................q.....................................................@.........................@`..U...pT..x...................................p................................>..@............................................text............................... ..`.rdata...`.......b..................@..@.data...@7...p.......N..............@....rsrc................h..............@..@.reloc...'.......(...n..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\KKVIOQVTEUTA.OKO

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	4838529
Entropy (8bit):	7.999964247779076
Encrypted:	true
SSDEEP:	98304:dyuKv/wWIsvrPq9Bj51aCo01eQI3rWHVNZCbNbXew9xJePD84rzt0V:dy9v/wWIsTujqEeKVN0bNzewTkPpz2V
MD5:	11C3B2492D2EFE15F6E49E06BBF6F771
SHA1:	3079536DAD9E3C6992DA6E5DC31CEA4691310125
SHA-256:	3B3D05AED876749A75D82D382314A20434D427BD44EE56DDB0C852C648A44040
SHA-512:	A79BAD2BBAFA2A096FB5CE90605FDFD6ABE55E004932AEAE588D67E0805724D88A40CF04CAC28FD4636F0CF19BDDBD3B1954B6CD9984D03EFED06D673B48C8A8
Malicious:	false
Preview:	7z..'...$.7 .I.....A.......50.QA..j..@..3.3gl.b."..&......28>R.$..Y..j..OBR`..S..3.UqQ..2J.r.'Y...;g........hn. ..S.W..c.,.gBJ&8`r.1s$...j.{...>.3.:...^...c..cW..r,:.....}...V...5t.,..Q.k......C"..:...... .5..U..}.b.v...9....{}W]....n.....U.8z...A.8....(..r.......&..zY..W...'n.Vh..V.-..W..K..S..$]y.I%.X....It........V.?!.....]..9.O...5.B.zF ..{ .B[...c..$..0C......OE.. .<>.Ht..d....F<.T.Zc....Q...).;..hX..F.....Z...8..."...Om4.X.H>...X.].h.N.9...HY.lv...fH..i.%C.V4.s.....2..^..W.9.>.x...P)....t.k`....=.J.!8K4.T..C>.M........{......8.'..d....%..R~.{..{s......RV....h..]...YQ...\|\|..'..1.W...4.......!..H...+C..?t.Em........%...b..f.?.es.....lO....?<]..x~b-\[. .............{F.,<6....../....?..L.u...eZvx.K.#+....-X.+..~L....[O....7.]&...5C."..Q........s.?N.-....jLf8..n>....6....z..)..O.6.....0.Y....~[..r.6j BEZ..4....6..sY.P3*.w..k.U......0,.....<h.o..}9}@=.v.b8w. ...H^.^-Q..t6f..`.M}'Sd.X.,.~<.^m...(..._.D.4....C..4<(...:...<..........^.C.q.PP..

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LJBPHRBSRLCI.FNG

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	11899681
Entropy (8bit):	7.999984606834096
Encrypted:	true
SSDEEP:	196608:OI9kryCdze2PCDz0SSDHFzQEZtFAXiJqZ9Ne5PbwGIIxCH5aLJkER/NF7tt5R:dkrve2upkHFc0+XiJqrALLJkETtX
MD5:	34C22F715FACA10EAA6D4F0C04811934
SHA1:	163259AB5704779CE2A8E3BE11A7E73C4A9D36DF
SHA-256:	9747A960BC2B94B447948C0A0C2BE72BF97E9C0AFA56E678CE5E5B29355D1752
SHA-512:	BE6DC349F0F55CBFA39FDFC5051CAFBA46AA468C5C13DB47CAB03F3FB7A3F8AC5A1B04C31CABFAD9196534305EE310104904EAC26EB540D9853B63A8F4B37C4B
Malicious:	false
Preview:	7z..'....z..........A..........E.l..r.I....!../.~.........5w.4.....\|...Q....xt..j-.9..+N.v.To.b..9l......f..%\.....J..'..ADh...%..7J...x..b?B.......k.....l.^........H..\.X....xt.>n.v...c.... lF.I.I......eF+..Z\|\|Aq.[h6.\...M........;I\|...eN...+.y..W....?............u.>.A]..~.......YU.- ......aM.V..Cb.`.F.9XM.M.+...nT.T.%./.l=../..M..[@n...\%........N;.....i...f...+.Z\|..aIa.b...r].n...N~&..D......F.$..}....ut.ex-....O.%...MXn.u...G.$(.X..Mn\J..r.[..4.,f@&.#.)...J..}..1O.....0...G.......H..T.&.<.......$.q.j.S.....a..&.?...K}..XS....m......b..s.\|...,.=...e<.K.....wWE/......V..0g...6G,7'...<<.2Z....G@.n....R..^g....h.>A..u......m.4..U.e.....p.....4.gG....~'.s..qE?N."..>.xa.:F]..q."....[....q..D......s...#.L.mh..:s...m\|...r&.....^....v!...\. .`...b.s./T..g.\).eV{'..wo..x.=.L..p......%.C......H...2....o.#.! .t.....7....$..Lz.$.&0.6.f.s0...SK2.......bH..Z.&L.[#i..>...$....^M..`...W>*...a-m.;......!...}%..d0..]...O..l.F.....(....C.1.$.

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LeakFixHelper.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	313952
Entropy (8bit):	4.32348576044483
Encrypted:	false
SSDEEP:	3072:7cxIVD6kUS+hV/EENZH3JzJPlZ4k5O0f+BC9vCfFL:ooehV/pJzJPHM
MD5:	A88A6FFF171F7FECF8668DA1EFC843DF
SHA1:	E4C8B375BBECF5790B2B0444B049CCE11659D598
SHA-256:	34CCCEC093F5711D1202F54BFE8756E093E4F84099EC7D609AB9658C3C941921
SHA-512:	808F6E217F5E157663E66B46429636C4D811ACA7C5672EDD1B003377BB4A039265B4FB905B4ADE39D81B3E64E7793BE8278454155E8BD2EE92FB5B6F919563EE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................l.......z.....h...............}.......s.......k.......m.......h.....Rich....................PE..L.....4Y...........!................e ..............................................'H....@.........................`...K.......<........................5..............................................@...............\|............................text...M........................... ..`.rdata...N.......P..................@..@.data...........j..................@....rsrc................`..............@..@.reloc...*.......,...f..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LeakFixHelper64.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	362400
Entropy (8bit):	4.208790369342181
Encrypted:	false
SSDEEP:	3072:ZGlYJdSi2t2SwbVGMuyic94uxJmXs/wIb8n9ssWy5cdJEnpOwD7A51B8BLRPrB:0lYXSi2ttqWc/PYOy5cQnpOS51
MD5:	3D01B2B5288974E922B6417FD3B02373
SHA1:	5649D3E7E15D1BF707CD7C28FE9931E5620EE9ED
SHA-256:	B438EF547753F91577730FFE9321563E7DD4ABBCBF056ADEE3C49906FC1EABD4
SHA-512:	F0C0EEBA22F33A4C596FF1272D681E7A349AB60112FD0AF5C75E07F065F35525C332270DE0ECC171D0B4BF53C3BC79C4E40BAD0EF1A0418A2D5DE882765D2FEC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\|.\|\../\../\../Uef/(../Uep/V../{./Q../\../.../Uea/i../Ueo/W../Uew/]../BOq/]../Uet/]../Rich\../........PE..d.....4Y.........." .........F......lz...............................................f....@.........................................pm..M....b..<............p..\|....F...A.............................................................. ............................text...L........................... ..`.rdata...].......^..................@..@.data........p.......\..............@....pdata..\|....p.......&..............@..@.rsrc................2..............@..@.reloc...............8..............@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LiveUpd360.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	647184
Entropy (8bit):	6.591959886632138
Encrypted:	false
SSDEEP:	12288:I/8iKgqct1l8h5H/30CrYXUjniBZoStkf0EOl/mvxxXiINkYF69+:NbhV0gMYnigStkMEMSxXrmYF69+
MD5:	960B05116F13AE8E8B17A6BA2919BF2D
SHA1:	D1A58D1F65272198D0A6657B06FAE6D27F1E156C
SHA-256:	00354506D4F1DD6A1FDF9450CA4A8E799A5A420A1A47BA3E41D7B30D8D02440A
SHA-512:	7A05E3178ABB8F92AA3A61F8A3156C87BD46F03F12D8EFC6CC1FEEE36B2508816E761BF6A3385BBDA2DD16EA3AB9CB4A5B899C3D844257811F0B3D9C4464713B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............`..`..`....`.i/]..`...^..`...H.%`...B..`....`..`..`...O..`...Y..`..2_..`..`\..`...Z..`.Rich.`.................PE..L.....b...........!.........................................................@............@.................................(...........................xC.......N.. ...............................X...@............................................text.............................. ..`.rdata..C?.......@..................@..@.data...8........2..................@....rsrc..............................@..@.reloc..<d.......f...4..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\MiniUI.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	921160
Entropy (8bit):	6.7626587126151065
Encrypted:	false
SSDEEP:	24576:nJtdTUbI0Ig/fMiK6hRN/IgOoWtT9nQnap:nJjUbIU/fPHhrIgBWtTFQnap
MD5:	5123C3B8ADEB6192D5A6B9DC50C867B1
SHA1:	6D142074A21AA50C240CE57CA19A61E104BBDF41
SHA-256:	273CE954C8D33ABAAC3A0FD8546719F09718C1D91317ECF5B99181DFFA3FE26A
SHA-512:	067305A8F09C480FE4A4C8609638C9A490C4EBE2782BD13C10B380DF14F76D4748EB785F44E7BCB86514718F99D07C3C6A4B43928A294B18020CB0FA589EE2A0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S...2...2...2..f}M..2...JN..2...JR..2.......2.......2...2..3...`_..2...J_.y2...JX.%2...JI..2...`O..2...JJ..2..Rich.2..........PE..L...h..Z...........!......... ......Q........................................ .......G....@..............................................................7...P..$....................................'..@.......................@....................text............................... ..`.rdata...].......^..................@..@.data...X.... ...X..................@....rsrc................j..............@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetDefender.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	451480
Entropy (8bit):	6.641728581015286
Encrypted:	false
SSDEEP:	12288:c2qfhIic6ZYk/UxdGhZi1MVv2MIbvweYsoOzpgseJUnv9it:c2qfGhz/qgodsoRenv9it
MD5:	2C63554380D33E2AB153CB285E72C2F8
SHA1:	1EDE14CA4003AE639AA80E2F4E90558DD1A49A7A
SHA-256:	F77F9AFB3459F2D2C8FB0354317A0353ACBBF6D31988597775ADCD9AB0D80BA1
SHA-512:	96F951089D907F635AF5A517AAF53FD13064ECA471DC4440B8C67147A91F11043043F102814C2E6DE8933F81F30D6AFFFCC073BF98670A8D52A5518AD89646B7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........`.q.3.q.3.q.3B>.3.q.3...3.q.3...3kq.3..3.q.3..3.q.3.q~3.q.3...3.q.3...3.q.3...3.q.3.#.3.q.3...3.q.3Rich.q.3................PE..L....tc...........!.................}..............................................D.....@..............................................................I.......7.. ...................................@............................................text.............................. ..`.rdata..o^.......`..................@..@.data....w.......2..................@....rsrc................*..............@..@.reloc...Y.......Z...>..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetDiagDll.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	337736
Entropy (8bit):	6.495942481063909
Encrypted:	false
SSDEEP:	6144:g1wCwn8QI2fm53Nx4Lj23TIae3m7jwyhb/7hjW7iBH+ljFx5mcvbKr:gmnckm5dy63TRe3XyhbNjWep+ljFx5R
MD5:	22C3095414CE54C8405225E3BCAAE591
SHA1:	9F0515A564B5077F49AACE011E84AF51F9973F32
SHA-256:	B734DB11E973318D728FE92E112639AE5B8876C855E6507315C707D04D3E0746
SHA-512:	2BE22658A038F8061B398489C357EFBA0F920FA24655A53650593D4924EE565E445D3A7CFD2C9689BC3A79E8355157004640E49B0249FCA63B3EBE11726D42A8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T...T...T....{.V...].x.M...].n.....].i.....T......s;..O...].g.G...]...U...J.y.U...].\|.U...RichT...........................PE..L....fgS...........!.........(......~........................................`...........@.............................U...l....................................,..`................................S..@............................................text............................... ..`.rdata..............................@..@.data...8Z.......0..................@....rsrc...............................@..@.reloc...A.......B..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetSpeed.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	499432
Entropy (8bit):	6.633998530829339
Encrypted:	false
SSDEEP:	6144:2gz1k3fKRVIpJcADwPkUeKvd8C/RxC4MwYXlHUCMJ/TBJnt8KZ0Se+4xichK4:tMfKRGJc1tnPC4MwYXVl4/Trt8K61s2
MD5:	049791828DE05D24D29EC9C8687F8B1A
SHA1:	2B6D787EB078DFAE0C6718A9D99D06CEB01FB273
SHA-256:	D418DDA34640521B8695642C7A7E719F173F706472617CFF4ED343FB68211862
SHA-512:	7E36019A163F55932F95D33FACB216B69244DC8D5506CFD1D2E707A736AF448D7A4F78ABEAF85CF0F42E4E18B7EB1D330A9788F73773E6BE23A61C6B2981136F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............a...a...a.......a.......a.......a......a.......a.......a...`.D.a.......a.......a.......a.......a.Rich..a.........PE..L......c...........!................................................................\|.....@.............................a............p...............r..P,......@F.................................(q..@...............`............................text...E........................... ..`.rdata...G.......H..................@..@.data...Xp.......,..................@....rsrc........p......................@..@.reloc..\|d.......f..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Netgm.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	343784
Entropy (8bit):	6.490658338748216
Encrypted:	false
SSDEEP:	6144:rFp+cWO/EibdFr0Zv7U7bAb1qi8JU0Wexe/1Yd02Y+VZRg43r:rFMcWO/Eib3r8jU7Q1qi860WexexEGe
MD5:	6E5F6B4D49768E131EF614DD07E5EFA5
SHA1:	DBA90982727A9373C8D97E72500D89814184C7B6
SHA-256:	EE326C156144EB89DE76C21C66BDA10BD22922B1A9C85615CACEE84DF355604C
SHA-512:	12FF45D6F469B577E74A62B866DAE2A879751654A6627250286E3CC4F319411FE901155347DA762010F373BBEB46F2BD95E0428893242EE4707BEFA7312CF92D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............o..o..o... ..o.....o.....%o..=..o......o....o....o..o.._o.....o.....o..=..o.....o..Rich.o..........PE..L....P.d...........!.........d...............................................p....... ....@..........................Q.."....@...........Y..............P,... ...*..0...............................x...@............................................text............................... ..`.rdata..2...........................@..@.data...._...`...2...@..............@....rsrc....Y.......Z...r..............@..@.reloc...C... ...D..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmLogin.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	533600
Entropy (8bit):	6.567835943059589
Encrypted:	false
SSDEEP:	12288:OgmCH8ZkhmmpKJiv/Dn5EWomaMIhEKf3Io7fknS52:Og58GnOthL/I1nW2
MD5:	5D7B815A95164AFB4A8E35240644793D
SHA1:	3AA5BFB8B2EE68C33BEB3190480CBE0149C29A96
SHA-256:	1158A8B493FC607354DD21E5A601760C082C00EB8B69E839E17E4A198C807418
SHA-512:	95E06406294258A3F81446A17E5CF67A02EFCDB0DA257F32ECD5B48D3F00B9BE628E2F82C04856191CDFDE02474ABC62D64D4A200164D7F6149993E548C8A335
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.o.o...o...o......n...f..w...f......f..!...HTz.~...o......f..$...f..n...q...n...f..n...Richo...........................PE..L......Z...........!.....F..........'........`...............................`......v.....@..........................U..P....G...........................5......LJ..@c..................................@............`...............................text...iD.......F.................. ..`.rdata.......`.......J..............@..@.data....r...`...8...B..............@....rsrc................z..............@..@.reloc...k.......l..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmTray.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	247016
Entropy (8bit):	6.914297747665078
Encrypted:	false
SSDEEP:	3072:LQvXrZQoI8GHJg9bb9wv/cZD9Da5TUUQJYlCXbKJOZwFSYG0GTO/X3/mCP0V:kFIZgXwvkZqUpJRGOZwFVG0X/mXV
MD5:	5B4C825671418F34D95EC1F7BB55FFA1
SHA1:	C0AA182B281EDB4F06BDC98D7CF413AF948AB50A
SHA-256:	AA51AE325D53D586532145E0C6E702247654502C0349C5FC570D7155353B045A
SHA-512:	BEC6D76883BF786F93BCA0E32A36CF21002D5E1CDC1C098628D9D50D1E8E40B0E44C6AAA07DD8B503ABA5B638D44CBFAAF6C4BFB0E9F6C8F49470D7664432F73
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..#...p...p...p..ap...p..wpv..p..pp6..p/1.p...p...p...p..~p+..p..fp...p..`p...p..ep...pRich...p........PE..L....B.e...........!.................$....................................................@.............................]....i..........x...............P,..........`...............................HM..@............................................text............................... ..`.rdata...q.......r..................@..@.data....N......."...p..............@....menu_sh............................@....rsrc...x...........................@..@.reloc...2.......4...b..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmTray64.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	290024
Entropy (8bit):	6.537709606383622
Encrypted:	false
SSDEEP:	6144:AhEzpelia8VSPgFmHKbDNATfCfzWNunIj1EpJRGOZwFVG0SJK:AhSpelaSPXMmLC7W4iOZYG0n
MD5:	0F15D28EB4CCD9DADFEC0305BF5F8E2A
SHA1:	04DE9FA6736978FDEFA031082C58FFCD0169861D
SHA-256:	F06872A9A6A6AFB4FEA670385694EA364F271705FB89B09E4390E95752A98F25
SHA-512:	955B8C3F383C66B4249510A20890C856994F2F4E9FA40C374B472B9E19AC2441A86BE67249F13E1F624AAF2F03D0F6A73F69A0E3D73178F2FC39843382D1041E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q..Hq..Hq..Hx..H...Hx..H{..Hx..HN..HVT.Hl..Hq..Hl..Hx..HR..Hx..Hp..Ho..Hp..Hx..Hp..HRichq..H........PE..d...7B.e.........." .....L...........]...............................................L....@.........................................."..]...0....................#...@..P,......P....h...............................................`..@............................text....J.......L.................. ..`.rdata..M....`.......P..............@..@.data....j...0...,..................@....pdata...#.......$...@..............@..@.menu_sh.............d..............@....rsrc................f..............@..@.reloc..L............2..............@..B................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmonEP.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	160584
Entropy (8bit):	6.648758970829866
Encrypted:	false
SSDEEP:	3072:ABDE5pe7xyshJiszc1TLQXDNxLYeW54C:Aip4ysYTLcXP
MD5:	EFEBB6F93832D5A7EEF3BD4EB81D4A79
SHA1:	9A75E55A08422E7B6A7D695EBB0F61589B31005C
SHA-256:	542928806DE9A653C52250A0AB3D7847EF9249C195C00B82E5BDEB066AE6D2DF
SHA-512:	D9F276F0556539739289585B55482034BDF99F0C18917720F1AB84B870DDA3E303792CD4DF85183155BFFF8DA174EFBE8A74506197B268D632BA6916AF00E521
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m..,m...m..=m...m..+m..m.Y.m...m...m...m.."m...m..:m...m..<m...m..9m...mRich...m........PE..L......S...........!.................`...............................................................................*..V.... ..d....`...............X.......p......................................p...@............................................text...I........................... ..`.rdata..VJ.......L..................@..@.data.... ...0......................@....rsrc........`.......4..............@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NotifyDown.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	549488
Entropy (8bit):	6.736896619735914
Encrypted:	false
SSDEEP:	12288:XLgRCEprkKZlVgTndpHpTVWDQZNrHIGUYmHASzK8BnWToS09:7gAEprcnLVADQbzIGHmxK+WTO
MD5:	14274CF241144895CA05CD456197F573
SHA1:	4D4009B0A2F7BA56C6C98DC823C41085EF4712C7
SHA-256:	113562BF950B39E9466E8F646C84AAA93F6B2C89530F56913B0B36E0096239A0
SHA-512:	5A8009D935EB59B10523494C6C9D0A79FD29B0FA41CBA046E9CCC60A8D2EBA05CCC23D881E121A4526371E21B7C9DB6CC62783E1A5ACAD019705970C9F52091E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y.....y.x...y.....y..J...y..J....y..x.P.y.......y.......y.....y.....y.....y.Rich.y.................PE..L....u.T...........!.........@............... ......................................j.....@......................... q.......R..T........Q...........L.......`...M...&..................................@............ ...............................text............................... ..`.rdata...R... ...T..................@..@.data....z....... ...^..............@....rsrc....Q.......R...~..............@..@.reloc...x...`...z..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Ntvbld64.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	MS-DOS executable PE32+ executable (DLL) (native) x86-64, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	42976
Entropy (8bit):	6.2171815555231875
Encrypted:	false
SSDEEP:	768:iHfqCaczo/ZinYCOd9L9KyhaM7JubDGpZRKjKj9MPgkU7:8fqT/ZWY/L9l7JheMJ
MD5:	671F95CAB2B5CF121125413F250F5275
SHA1:	73D99D09A3D8978A5C6DB43CEC85FB43B03B7A26
SHA-256:	728A1FCDEDCA6DBD8FDDDE3F33CD64DD99853C26EF5B10D3FEF0D76D0480964B
SHA-512:	4AF690AF838CEB026636931AEDE3852EAE6D83881149EF4C28CC1DD032C3F7F6A64B30171C2524512FACD40496DAB305523D20637B44EFBF0D5805D0FAD1FFCB
Malicious:	false
Preview:	MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!.........`......................................................................Rich....................PE..d.....a.........." .....H...".................p..........................................@.........................................pV.......S..(.......h....p.......h..H?...........................................................................................text....F.......H.................. ..`.data........`.......N..............@...

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\PDown.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	253456
Entropy (8bit):	6.554744612110189
Encrypted:	false
SSDEEP:	6144:OpoEWHpLJeJ8MvIucm/334RStKp7Tu975:vEsLJeJ8MvPcm/30u975
MD5:	637FB39583F9C2EC81E0557970CD71AD
SHA1:	ADA1137BB47DF62F48407ACC2DC713D92D13A0E0
SHA-256:	330B8EC664949CB9DE5BCCE5AC248148B58DCFEED69ACD8D9CB576AAA935045E
SHA-512:	F72C77D29C51CC6AC1151C919C769BF063E5BAE763033B9BF5BC713E01416ECB301A120B22A17037310E47662EA916A06AA09BB441DBDEE4032A6D59A0876ECC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........gOT...T...T...]..B...].....]..Y...sTr.C...T......]......]..U...J...U...T...V...]..U...RichT...........................PE..L......b...........!................W...............................................j.....@.........................@L.......=..........T...............xC..........@................................!..@............................................text...)........................... ..`.rdata.............................@..@.data....H...P...(...:..............@....rsrc...T............b..............@..@.reloc...,...........j..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\PopSoftEng.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	662920
Entropy (8bit):	6.526894314465185
Encrypted:	false
SSDEEP:	12288:+huSCyAZQUpHByI4ur32KWVyTHrpGUCiAqfoHD2AvdLnaSZCzm3slIalDoH7+F+2:+huSCySQUpHBl4uqKW2Hr9otZCCAlUHa
MD5:	C3EA1FBF2B856FC25E5348C35FF51DD9
SHA1:	87D8FDFDD52FA3BD59FDC7BB1E378091D0D91C16
SHA-256:	6F24B8CA595B4B472320C7A104C64AAD6F0928AD4F1318D1DCFBB0C5BD488A64
SHA-512:	298CE88D37E0496CDF6DADCD7D8890128B90113161311D67ED264B003D5840460FE594B8550FA46E45AF88564E4095C21B748CA3D2B497540ABEB0CAF5533820
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.............~.......~.......T.......~..........................J....~.......~.......T...............~......Rich............................PE..L... .._...........!................q........0...............................P......8.....@..........................J..N...D9...........................6......PT...3..................................@............0..(............................text............................... ..`.rdata.......0......................@..@.data....~...P...8...4..............@....rsrc................l..............@..@.reloc..Vn.......p...t..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\QKFJSGCGWGRQ

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	177
Entropy (8bit):	5.2011029533052096
Encrypted:	false
SSDEEP:	3:FCp/32ZmsmyR73wy82K9oYGyvA9id2sycyMcVqotTBAtoZht3wetdQQqi5xQn:F+mdR73wv9oYnvA+yLM+At2t3wgCQPxQ
MD5:	E7EE8D889FBD33DED17EE00BC9E98ED0
SHA1:	A153B28DBB602C58A606A44906F38128E85CD285
SHA-256:	2BA624377B2B788ABF3A248D956FF743E93F06746D3D2F220A2257AD94DA540E
SHA-512:	006D57BA2F48792DB028437F814618F19AC2D21EA1A1E9BDF39F5853536441B3436BAFB866917CC6708B21C58D93495501DFA5B345F55BC49FEF766812E46DF8
Malicious:	false
Preview:	[XLY]..P2=LJBPHRBSRLCI.FNG..P5=IWLHTVJXHINUWUFBWIU..P4=FNCUNPTNLBMW.DNA..P7=AEXIKRSDXTBGHJSHHPK..P3=KKVIOQVTEUTA.OKO..P6=RFOLHRLVLKWUMQMLJJA..P0=DAN127..P1=e8a0d5af432b7e64DBD..

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\QseCore.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	849224
Entropy (8bit):	6.7893930691706075
Encrypted:	false
SSDEEP:	12288:V/Fiea85oMvk6SqMNH/U6beovEYNVXWTwROJTQ9wC1N4Lx09GpVuQ:VAF85oAk6lMNfU6beXwROJTQSC4l0KuQ
MD5:	AA4E9E8A1B0B7C4126451814701A449F
SHA1:	7D988C453283C345E17422FC4B2B6CCFD8200245
SHA-256:	6CA0ABCD77232A5CBADE520596CAB305012ED72315C09CB5A30C3C1E96367F98
SHA-512:	0738DFDE9EC2B1E23B88FDA344CFBA443705A3AD87F22629676118DF555BD395D1737066EFCC4257B8138A0D282491CBD30F36D1880CA640E7D463855C0AD63C
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........!..O..O..O.{....O.{.....O.{....O.Q;...O...L..O...J..O...K..O..O..O...K..O...J...O......O..N...O.W.F...O.W.O..O.W..O....O.W.M..O.Rich.O.........PE..L.....6]...........!................E...............................................f)....@........................../.......0..d........................6.......W..P...p...............................@............................................text............................... ..`.rdata...........0..................@..@.data....F...@...,...2..............@....rsrc................^..............@..@.reloc...W.......X...d..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\TP453990d4df32.TPL

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	719
Entropy (8bit):	7.651157103123239
Encrypted:	false
SSDEEP:	12:13GQDv7sWgZDAIXQk5m/2MnB82RU+JR/DoZMIZ6XO1a/oCfGEAxTNBfJb4eWNudj:1GQDvMAIgk5meMBXfsrZ7a/ODBpdj
MD5:	2322FEDC1A270A91A3584496BF609CEF
SHA1:	F422C6A1AC8BA5911C2A74BCBC052D11E43A3F97
SHA-256:	832BD52C260A50338ABECA0E16A65ACE58DDBCD16F5E65A30BA9362822376763
SHA-512:	575891E907D02DEA426EFA6DFB9AF11A4B2C23FA7C73C85ADA4C555085A6C0B14A76500974D89D1726A6853C8836F90A112F928DEE250E86681415DD2A8242CC
Malicious:	false
Preview:	7z..'.....b.p.......?............G.>FK.~)K..0+.B.....#..F..5}H.....3>...0RR1.x....T.P."X..%.BR..TA(.\|L.B..U..2.9...EW....2..R..P.[X.Z.+.3..u.....9..vOy.]kN..3E.vk.4t..]..../.}Y...zZg~....a..A..k.`vD.V.~.. 'w...r....<P}.`.....3v.=......5..4.qBo....q.B....?e....u.W.\|y....TL`.nE;..5.&.+.S...t.."xh.. ..z.. .b...=..l.\|...(.h.+..f.D...).[.uO..$._.....s.&q1.$5.R..P.....:...iNL"SX."...b...).0......d..9/......+..C`.+.........2^.......M..j..P.+.`.5.m...X...J.As.....S<<.S..\.......j......7H..R&\a...4$".P!..r.l..o.R.Z..............y..g.\`..#M...E.....oZ..\|..K\|H..f.09B.....>.....S.9b.I....s.].....i2.U...H..zv...6.s.\.O...-=...............$.....S.V......U..1..0.#....].............[....

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\TroPox-B_Plus

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	data
Category:	dropped
Size (bytes):	710888
Entropy (8bit):	6.630506217753264
Encrypted:	false
SSDEEP:	12288:5n9CCUQ0bGwLt1n/iswKJLUY2XOrEO/6awL7wU0s6OzeoXHhS6ckqIbpieFGrh1l:7+tLt1aNYrfBB6BAqZkyQgJ0VL
MD5:	C4A08B391245561157AEFD0FE7C40A11
SHA1:	28D15D43A1BDEBC83701AFD89E6EA9C24F90DB33
SHA-256:	53D7C8F2FD109E85FC9302B7424875BAD22A148D6EDC6C7FD8E4589E97259BFA
SHA-512:	24C7608346B76694BF9D8227FF6A794B26D73C0DA93FD231A2331CD371ACC86F293FB9093850F5513DFBE1D269114A56F47DCADBA11BD98C691AB38472A6CCC6
Malicious:	false
Preview:	Ta+....................[...............................................W.osp.....r.xt.~xuu...y\|...u.pu._jn.t..\|............*3}...........l......l..Y...l..... 8..... 8..... 8..............&..........~;.....~;.....~;.....~;.....~;.....ip~s...........................k\..W.....d..................u...C.......Y............[......................................[..........................................+..?...........#7..k....;..+r...W..o............................W..[.............................................\|.....Sw.......u.....................{...x.x..?0.......1..................[..[..x.x...Oi...K......................[......~...?....+.......A..............[..[..\|w.~..+r...;...s...Y..............[..Y........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\TroPox-E_Plus

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	data
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.306110093863136
Encrypted:	false
SSDEEP:	384:U4MHLZo6ULkil3CtzKIoTRp6n7B56TXGy5+:U4MHLZo6ULrCtzcTRpUd5S2K+
MD5:	ABE42D544B1002D50801E3075576F455
SHA1:	58B6CFBB60EF6AD2734C163C4C83B04CBF617AB1
SHA-256:	3D48A8F09DE2FD202BA4922D944FA7FEE03B1DF13FC3BFC22BE814937CEA52C6
SHA-512:	C9B842A687FF0A6DC4E242AEB3CFB6964A7D4083A9D9A1583B1F85E949E68451C24744DDB07531DBE03B0539C9F1FDF5BE3F400D1A523325BD114633564616E4
Malicious:	false
Preview:	Ta+....................[...............................................W.osp.....r.xt.~xuu...y\|...u.pu._jn.t..\|............;.9....9...9...9.~z9...9.u.>...9.u.>...9.u.>..9.u.>...9.~.>...9...9..9.u.>...9.u.>...9.u.>...9ip~s...9................k\..W.....or.....................................K............................................[..........................A..o..._F.............................{......M..C...................[B......{M..[............K................................\|....................................{...x.x.......K......................[..[..x.x........k.......M..............[....\|w.~......{.......C..............[..Y........................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\TroPox-Z_Plus

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	data
Category:	dropped
Size (bytes):	1390312
Entropy (8bit):	6.599443687044707
Encrypted:	false
SSDEEP:	24576:znhMjKSFXpFEzq7zZvjyswjzYnOAjPSy36c9RCvirRMNJbd3g:jhMt/nVo2O56tibxg
MD5:	C77EE913C46510A705A9DDDD91DE8302
SHA1:	CB5E045FA27186B9F23E4919590387478B9343D5
SHA-256:	092689651DB7B81A6816B1F78F8CF81476945D493E9566762F5791ADFC5BDA31
SHA-512:	A6C080D04C92EFBF8A1A4A1D1423837B1282E4CFC0E77D9DA4BC9F78E235AA6CD8AE3468B588FD9D35BA656A7A1B27AAE805662EB6C84B053D0149855F4A6514
Malicious:	false
Preview:	Ta+....................[...............................................W.osp.....r.xt.~xuu...y\|...u.pu._jn.t..\|...............K<+.K<+.K<+..@x.D<+..@~.P<+..@y.<+.y.,.<+.y./.<+.y...<+.@..H<+.@..B<+.K<(..<+.#...O<+.#./.<+.#.,..<+.#.+.H<+.#...H<+.#.).H<+.ip~sK<+.......k\..W......~.............................B.......;..........................................[.........................k...........k...................#...k..........K..............................k..[............;..7.............................\|.....<..............................{...x.x.......;......................[..[..x.x...K...;...O..................[......~..............................[..[..\|w.~.............Y..............[..Y................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\fhjyy.exe

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175328
Entropy (8bit):	6.879935553739908
Encrypted:	false
SSDEEP:	3072:jnrQnzMYywmn3h1sp7/WvCnIukR4BbxKigu/fgl1glfdjgBftJeCEEzx4N7mcr5:XQnzXtr7tbxKVuE1gQJeCEMx4p
MD5:	BE4ED0D3AA0B2573927A046620106B13
SHA1:	0B81544CD5E66A36D90A033F60A0ECE1CD3506A8
SHA-256:	79BF3258E03FD1ACB395DC184FBE5496DFA4B3D6A3F9F4598C5DF13422CC600D
SHA-512:	BD4E0447C47EEA3D457B4C0E8264C1A315EE796CF29E721E9E6B7AB396802E3CCC633488F8BEEB8D2CF42A300367F76DEDDA74174C0B687FB8A328D197132753
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............d..d..d...g..d...a...d...`..d..g..d..`..d..a..d...e..d..e..d...a..d.....d.....d...f..d.Rich..d.........PE..L....]d............................S#............@.................................>.....@.................................d8..<....p...............d...H...........*..T...........................H+..@...............$............................text............................... ..`.rdata..._.......`..................@..@.data........@.......4..............@....gfids.. ....`.......>..............@..@.rsrc........p.......@..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\filemgr.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	618728
Entropy (8bit):	6.588792056328895
Encrypted:	false
SSDEEP:	12288:B+jJIpPUHR7IS++ZbaL/mH6yf0fvmuZqhI8XlF7YfkLfm7WUjxioncm:U++4LVs0QpFaIm7WKgoB
MD5:	6E8F89DA86BB82538932DB314C2208F8
SHA1:	A86C373D7BC49032F0EB7D0BB01DA74BA67B4F43
SHA-256:	ABA5E0FFC2D21CB5045D13CE66F8D80862600E37431D20E999295CB07DC5EF3D
SHA-512:	7EAA25D7AC722EF7687357356AC9635B80158918BDA03C3A7E49387BEACD8CD2A9A2ACFD8B5D13571453A7279772FA726A75C9DA0FD7EC6D5BAF202FB928F00C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9..9..9.MvF..9..AE..9..AZ..9..AS.e9..AC..9..9..8..AT.v9..AB..9..kD..9..AA..9.Rich.9.........PE..L....t?e...........!.....8..........b........P......................................).....@.........................p...O............0...............D..P,...@...U...T..................................@............P..$............................text....7.......8.................. ..`.rdata..._...P...`...<..............@..@.data...\|s.......(..................@....rsrc........0......................@..@.reloc...m...@...n..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\fixsc.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	147176
Entropy (8bit):	6.792908985087195
Encrypted:	false
SSDEEP:	3072:oAhT/95cw+pUD+U7s3H9xMaZ7DdJMq5mZZEGP0V:RBADU7s3H9xnBhJyZZETV
MD5:	2EEFCD3D407E4DA935E5B60EF257E153
SHA1:	34F56846E9F48F9775DD8250897345B7736DE213
SHA-256:	837B3DE5BF545BAB85599F0B6D36D8DFE4B3595AE94254CF7C968D1D7DA86F35
SHA-512:	EA05765A18CDA52A7398E04947C8DD6828BE06B07261C612BB8E550656FF5F9EBBD37F85C07007980044D2036171227EEA978B0D0592D6D584A5DEFE53BF8968
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........J...$...$...$.e.....$......$.....$......$...I...$..._...$...%.{.$......$......$......$......$.Rich..$.........................PE..L...\|Q.d...........!.....Z..........X........p...............................p......}.....@.............................l.......d....@..................P,...P..\....q.............................. ...@............p...............................text....X.......Z.................. ..`.rdata..L_...p...`...^..............@..@.data...\|n.......,..................@....rsrc........@......................@..@.reloc.......P... ..................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\fixsc64.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	174824
Entropy (8bit):	6.422260069407969
Encrypted:	false
SSDEEP:	3072:vjNq/3Jyz4vHAYH7EKJ3eAlNd09cd7g9EEnQHBdp5FFmvBh7P0I:vjN6yKNBJ3eAdNEEEQHB/F4BhII
MD5:	ED2ACECC811ABF288316C709E2F2D943
SHA1:	0CCE7CC3687CAAF59E6DEA1A90D1214782B5742E
SHA-256:	C3E9F2023A28A2115D15D8DA451B8105771C4D4746F494CCF83FB28623CF724C
SHA-512:	9DD510EABDB4D59B82A7492DFE6A6D11C47721DD0B7F0F22C8060063A94E36FE93A28EC19815AA68F89B1B807AAE584B304AB15D183493295B7E13E65527BEE0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......xI~G<(..<(..<(...g..?(..5P..Q(..5P..7(..5P...(....}.>(.....=(....k.+(..<(...(..5P.."(..5P..=(.."z..=(..5P..=(..Rich<(..........PE..d...UQ.d.........." ................................................................G.....@.............................................l.......d...............x....~..P,.............................................................8............................text.............................. ..`.rdata..............................@..@.data........ ...L..................@....pdata..x............Z..............@..@.rsrc................p..............@..@.reloc..\............v..............@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\heavygate.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	559000
Entropy (8bit):	6.789431209891293
Encrypted:	false
SSDEEP:	12288:OrswC3DEddri7Dj1XHmyZQNCAGTFgRJz/9i:gsP3Dwdri7DjlHECAGC//9i
MD5:	EE6AA967C56CC0D0820C95D4FD89FB30
SHA1:	D1C5161FB8CCA7FEDFFC1056FAB8D79309EEC01D
SHA-256:	C7CC69762AE72840D200C14E652A460807F487059F7D0780E245AB36AF445B9B
SHA-512:	8502D5E4BB48FE3ABCA897F293199815CE7DBB67E4983BF9A9631A4F92602289FBF08D42DC547B96E1C8338C77108019B952DAA5D682465C7C5567CCBAECEEAA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.$PL.wPL.wPL.wY4?wJL.ww..wSL.wPL.w.L.wY4.wwL.wY4)w$L.wY48wQL.wN.>wQL.wPL=wQL.wY4;wQL.wRichPL.w........PE..L...y.`c...........!.........F......*M...............................................)....@.....................................(....P..L............>...I...`..h...0...............................0...@............................................text...\|........................... ..`.rdata..............................@..@.data....B......."..................@....rsrc...L....P......................@..@.reloc..X9...`...:..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\hipslog.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	49480
Entropy (8bit):	6.739956450503979
Encrypted:	false
SSDEEP:	768:C2a0KRlGHkg3oqHo3eaB6e7NXQxZzYf3yvZ6/WitUDvb1PRF8oaH:n/HF3xb8KEvyE/cDj15FI
MD5:	E2D837E2B4DDA87A82553631E7D5627A
SHA1:	9F1A5A95B4F0AEA6F9061140F0E22EDA819A78BF
SHA-256:	A5118527EE28C3C263F3FCC3346F8BCA83284E21C8149082F8D1AAA68B39EBC6
SHA-512:	3FDBB618C9F49FE5C7EA81398401C5AD19EE8A215B9A3D29FC03071935E566B80560A775CEF3F1502F8447B2A2528285C8D4586C576A3E311241A06177E14C52
Malicious:	false
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$........@3..!]..!]..!].Z.\..!].lH\..!].e....!]..IY..!]..I^..!]..GY..!]..GX..!]..MX..!]..Y..!].lHY..!].lHX..!]..IX..!]..G\..!]..!\.=!].cHT..!].cH]..!].cH...!]..!..!].cH_..!].Rich.!].........................PE..L...>.?]...........!.....X...,.......Q.......p............................................@.............................t......P.......X................6...........z..p....................{......pz..@............p..(............................text....V.......X.................. ..`.rdata..~....p.......\..............@..@.data...P............x..............@....rsrc...X............z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\iNetSafe.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	383720
Entropy (8bit):	6.579374990134974
Encrypted:	false
SSDEEP:	6144:oG1pYD09uIwtl0F1LrheKG/HYStQGz1DAOoQGEnb5bj1hFu:X7g09uRlYeKG/DHegbjs
MD5:	3CE009AFF2FE459A8248693AC8DAB788
SHA1:	607444A7B8AB2E17C525BBE0B28878C3BD0F8099
SHA-256:	11856EE1D754D31AF95F1047CE6B68CA2395C703A995525FA5D9E4A2678D0B86
SHA-512:	1AB4ECB89B07F09985B57F0D546FE6063D8ACEDE435F74075EF9A37288F7D9D19DF168AAEDB38093D88BA2E515CBDABB23F87163AC8FCF9A706448B0F4FC2774
Malicious:	false
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......d_f4 >.g >.g >.g...g->.g...g.>.g...g=>.g)F.g">.g...g%>.g.`.f4>.g.`.f.>.g.`.f.>.g)F.g">.g)F.g3>.g >.g.>.g.`.f.>.g.`.f!>.g.`.g!>.g >.g!>.g.`.f!>.gRich >.g........................PE..L.....8e...........!........."....................pe......................................@.........................0...................8...............P,.......L......p...........................0...@............................................text...}........................... ..`.rdata...O.......P..................@..@.data...p^... ...0..................@....gfids...............:..............@..@.shared.x............<..............@....rsrc...8............T..............@..@.reloc...L.......N...^..............@..B........................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\iNetSafe64.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	406248
Entropy (8bit):	6.190903413261375
Encrypted:	false
SSDEEP:	6144:OazgQG4JdLe2p+teZ3q9y/3clyMEcLeowam/xohKKJJT2pgJ1JhfQeUnZdnkewZ:HgVGemGeNlYbR2am/xolx0nZZjm
MD5:	E5E4828980E5C836163382F9642D4D24
SHA1:	E8BFB72EB75D20DEEA9152089B7092E07F2EF2F3
SHA-256:	639EA37856839C2D5446A82441D7AB94204EE1172487EB88E9AC1CEB6261D554
SHA-512:	6F621EC441CA46CC48A48056F8E278FF746ECABDAB1933C0FEE18574EE366BD9721487D6462746B6874A5B2CD4D8FC327B5089F351CE8086E10061791034794B
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........o-a..C2..C2..C2.h@3..C2.hF3Y.C2d..2..C2.f@3..C2.fG3..C2.fF3..C2.hG3..C2.hB3..C2..B2#.C2RgJ3..C2RgC3..C2Rg.2..C2...2..C2RgA3..C2Rich..C2........................PE..d...j.He.........." ................l................................................t....`..........................................J.......K.......P.......... 1......P,...`..........p...................p...(...p................................................text.............................. ..`.rdata..............................@..@.data...,F...`..."...H..............@....pdata.. 1.......2...j..............@..@.detourc.F.......H..................@..@.detourd(....@......................@....rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ieplus.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	887648
Entropy (8bit):	6.72536750906441
Encrypted:	false
SSDEEP:	24576:rMl3YXVguMMrGA+64Z/fOl7FPZ1ZGf4a9nCFECq3N:Q0LMe4ZHOFPXZGfNCFEzd
MD5:	CFB50C3C7D74F518CA9E2828E702145E
SHA1:	E38FD98574C08BCC6415E62EA7C9A380958A3D1C
SHA-256:	1C8FF953478CC71166A36181ED32AE7C48B267B011240DB2C701E35D391A66EE
SHA-512:	BD08332BDB78614F1CDFD2E4939B1B9400476D99B50996C17C0277ED76DB5972FAC5EC77DCD4C56459DAA11C6126DC12D66A4E59122DC9B8D89FF6DF89B83240
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%.U.K.U.K.U.K....T.K.K..R.K.....S.K.....R.K....p.K.U.J...K.\...C.K.\..v.K.\....K.\..L.K.\..T.K.K..T.K.\..T.K.RichU.K.........................PE..L....N.]...........!.....f..........................................................^]....@.................................L...,........j...........V...4...@...s.. ........................6......X6..@...............d...\...@....................text....d.......f.................. ..`.rdata...d.......f...j..............@..@.data...........p..................@....360_iep(............@..............@....tls.................B..............@....rsrc....j.......l...D..............@..@.reloc.......@......................@..B................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ieplus64.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1001320
Entropy (8bit):	6.375963793592453
Encrypted:	false
SSDEEP:	12288:DaG9UYtX8J3EfBCMwM9E4jRcoI237MSW7/HTdPSYPJBhnHRxd/c:Dx9UdYRwM9EWI23wSWHdPTJB5dE
MD5:	074CFA8CC35DC642A2B95CC96CE5357C
SHA1:	CEE218C914D530BE6C9BB9531E78F2137224D5A8
SHA-256:	4DE592C87C443780B5D475414196B3C5406ACEC8809EA65AF45A50E7E43462A5
SHA-512:	EF776EB824F4C3152A380B3EC2858A11A96E48711C213AF905FE2B0A972F9CB4A7D83B4B96848DB0B478AF4D19623CB8AC0E5F8FC47007B39E0F16FC2E5FC851
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........../.p.\|.p.\|.p.\|..@\|.p.\|.?\\|.p.\|.._\|.p.\|."N\|.p.\|V.v\|.p.\|V.t\|.p.\|V.s\|.p.\|.p.\|[q.\|..I\|op.\|..N\|.q.\|..X\|.p.\|."^\|.p.\|..[\|.p.\|Rich.p.\|........................PE..d.....].........." .....V..........\|................................................-....@.........................................0y..g....W....... ...j...P..H........4......8...p{......................8;..(....................p.. ....V..@....................text....T.......V.................. ..`.rdata.......p.......Z..............@..@.data............n...d..............@....pdata..H....P......................@..@.360_iep(............\|..............@....tls.................~..............@....rsrc....j... ...l..................@..@.reloc..d".......$..................@..B........................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\imhelper.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	247528
Entropy (8bit):	6.604794755347589
Encrypted:	false
SSDEEP:	3072:2Y77YOcw6BdKQYuVXsZy54tgQCkW30W9ezJQ4mRan5kiINyyT7PK0AMZcan5aj9b:n7YiJEIy54gFogRa0Nl/N1Sjl5yxAl
MD5:	9B05B1F0E62DD100D385807262B84A90
SHA1:	631449787D7532A855CB061E333C0712AC20E753
SHA-256:	6BC0133A16C7F058E5C0B6027929DB1145D37717118DBCF24013FA4F2D79E848
SHA-512:	9F43A542B38D998038D20467BB797CF789A36666F4B8154A548FD6E7BA24A20256C9A0BAB64CD43CB12BEBF704A524FE35F9652FA399237A3F0AFB3BF8670676
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.n..yn..yn..y.Hmyo..yg.ny}..yI..yy..yn..y...yI..yo..yg..y*..yg.xy...yg.qys..yg.iyo..ypUoyo..yg.jyo..yRichn..y........................PE..L...N{.e...........!.................................................................N....@..........................R.......B..........................P,.......&..0...............................p...@............................................text............................... ..`.rdata..............................@..@.data....\...`.......>..............@....rsrc................Z..............@..@.reloc..h7.......8...`..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ipcservice.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	705768
Entropy (8bit):	6.685295160437571
Encrypted:	false
SSDEEP:	12288:S/20NCvMDhBsqLeIQA2BcMNcYB1mF5Q3LNOsbwbekwCYgLECHqa7XWpbt9o9TehK:e2KC6hBs6f2Bcm65sO8wACHqaTQJe9Tn
MD5:	8B632FD2D4EA70470AF97CD5E88F74D7
SHA1:	9E384D37EB586E9B187F4FFF89C2F104A7921F44
SHA-256:	AFCBB8BCE2E5C8C5E9AA851941E626A62573E6054EC75C14066AD37726BB9DB6
SHA-512:	5F7EA2BF6599AA9E0C44C2820F89DF0827EEBD8A037C9DF2AF516D9865BBEEAF31CAC89AF7214A59BD4B25F2BF7EB94E257AA2766F1D12892E1C34E78776F5E1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,B..h#.h#.h#..,..j#.a[J.p#.a[U.d#.vq[.l#.a[L.K#.h#.#".a[\..#.a[[..#.a[M.i#.vqK.i#.a[N.i#.Richh#.........PE..L...X.Le...........!................L.....................................................@....................................@....p..8...............P,......Pk..`...................................@............................................text............................... ..`.rdata..............................@..@.data............6..................@....rsrc...8....p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\jpnative32.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	202472
Entropy (8bit):	6.660474984647205
Encrypted:	false
SSDEEP:	3072:jLH6l5IoUzqiNVwzQyaT0NQgepguwz+uQJOAg0FubAIrnXrsFCAsKIP0a:SluoK7QiToQdeAOpLAFCtKha
MD5:	0EA1C58DEDF685A4A1EEB1C7BD1C972D
SHA1:	66CA439A737A35FC936D2C8F990AD3538D9F2CDC
SHA-256:	41780A7339545676A2D587CD5BCEA9181E6FAAF3EC73C5006D7D76B47B98A6F2
SHA-512:	D16B0A12EE38399C4B05F38E0CCCAFA6BD4984C353AF845337F3E5E8D64AAF3D9B1561E423C5CA59D2652EB083E92FB8832168989B34F11465AD581A39739BA7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:gx.:gx.:gx.....7gx......gx.....'gx.h.{..gx.h.}..gx.h.\|.%gx.3..=gx.:gy.Zgx...q.8gx...x.;gx.....;gx.:g.;gx...z.;gx.Rich:gx.........................PE..L......d...........!.........*.......\....................................... .......A....@.................................P...P.......................P,..........p...p..............................@...............D............................text.............................. ..`.rdata..............................@..@.data...H...........................@....rsrc...............................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\jpnative64.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	247528
Entropy (8bit):	6.255611405833788
Encrypted:	false
SSDEEP:	6144:MzlHNKfmGZoRwaQDy4ikigoh7Chpq8eFiybV:6tp9QD7ihgohCQFh
MD5:	9380B590C9BE993F3F253469D0933765
SHA1:	0DF57C8EA3D19DCEE142F03D0D6FF4DA7EE5BCCA
SHA-256:	CB8BE7A72561A379B122AB70CAE681840009CE71C9C50B819B2B9E8CCC7A5B73
SHA-512:	2277F388E10D8D579203F7546C30DD314C4BA0AEAC0CFBDBB7F393FBFE54F7ED60FBEDB31E524275112D9E1BDB9F5CB24AC02259ABBC096A81E8CE2D32B87F6A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.T...:...:...:.u.9...:.u.>...:.u.?...:.H.9...:.H.?.,.:.H.>...:.u.;...:...;.E.:...3...:...:...:......:......:...8...:.Rich..:.........................PE..d...A..d.........." .................c...............................................8....`..........................................\.......\..P.......................P,......\|....&..p...........................P'...............................................text............................... ..`.rdata...U.......V..................@..@.data....'...p.......V..............@....pdata...............f..............@..@.rsrc...............................@..@.reloc..\|...........................@..B........................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\leakrepair.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	705504
Entropy (8bit):	6.635093248285898
Encrypted:	false
SSDEEP:	12288:GngcmdomAFsBeQsv5REGqRXkgVP73MfsPF9vyt2nSyv9K:fLAFKsv5ROkgVAfsPTyEnD9K
MD5:	C40E8A502AF91ACA96B85AB36CBE818B
SHA1:	004141E75604502E2EA30C5760008368C36850D8
SHA-256:	A10966CC2785845DC296D90EF9C97ABA865BD06DF1A8A7006A7EE53EBD2152FB
SHA-512:	219630292A8CF70311F06DC1F3A99BA948E7E7BBAB937B0F5B928121838B79FE851B70650BFFD07A4F36A22E2A7B34DE4461D8F4C97FC1322026CA2C5C2E31EF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........fP...>..>..>..v?..>..o=..>..o:..>.l;..>.0n?..>.?u;..>.....>..n:..>.j:..>.j;..>.6....>..n;..>.2n:..>..`;..>..`:..>..o;..>.2n;..>.l:..>.l8..>.l?..>..?..>.4i;..>.bj;..>..n;..>..n>..>..n...>.....>..n<..>.Rich..>.........PE..L...].$a...........!.........z............... ....{5................................b.....@.........................@...0...p........p..................H?......XS.....p...................P.......H...@............ ...............................text............................... ..`.rdata....... ......................@..@.data... 7...0......................@....rsrc........p.......&..............@..@.reloc..XS.......T..................@..B........................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libcurrant.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	966376
Entropy (8bit):	6.564045153487216
Encrypted:	false
SSDEEP:	24576:3lzYxkj819KdVtUSPczJfKbM1aIjvI7BxwwuDFkrwtFkUHUZ0sIPbtYUkXAJfTSH:1zge8XKdVtUSPczJfKbM1aIjvI7BxwwH
MD5:	A9FF3D29AF8CCA5D3C90F17709EB0548
SHA1:	7F4B69366BA3BBB7BF08206FEA672C807CC2B562
SHA-256:	45E8B5F32CDE9201278500DF961133AD26AD60C531FCFD77D3D26FEFF105FFD0
SHA-512:	F043D1599D57B1E86D97CA1E81CF81FF0B3C97B95F1134ABF6DEEAC615F37645A825363315F5FB2139286BB5AEF5FA26C375E829AEC897C27CEA30199310123C
Malicious:	false
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$................e......e..*...e...................g....2Y-....................i.....y......}....................}.........Rich...........PE..L......d...........!.................d..............................................`.....@......................... ...H...h...x....p..@...............P,......@j..@t..p............................t..@...............L............................text............................... ..`.rdata..............................@..@.data...............................@....rsrc...@....p......................@..@.reloc..@j.......l...$..............@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libgravity.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	871144
Entropy (8bit):	6.407442398411684
Encrypted:	false
SSDEEP:	24576:hgjR9MABH2uK50bPcjV/3WU020ZQA8NM/rmn:ghB1W3WUVeC
MD5:	9A88DC21D3AC42ECA184F37297387BDF
SHA1:	2F82552EF8F4B6A10356441CD158F1A0C5905913
SHA-256:	466DF96D59B878EC6775ECC4D497B71CCD73CB11FBB2C2B23575EFE055BFFB75
SHA-512:	1136D371771A71D329910ED9BDBF8243F74AD19FCE75F9A8712BC1E1E53EA3EF3722D4E067AB5567366D40D2637AF7E119E7E31734DDB57BCEE126CFE932C37B
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......U-.}.L...L...L..3,./.L..3,./.L..3,./.L...L...L.......L..C$./.L..w$./.L..w$./.L..C$./3L..C$./,L..3,./.L...L..]M...%./@L...%./.L...%,..L...LD..L...%./.L..Rich.L..........PE..L......c...........!.................P..............................................._....@..........................{.......\|....... ..8...............P,...0...s..p&..p....................'.......&..@............................................text...U........................... ..`.rdata..............................@..@.data....}.......&...\|..............@....rsrc...8.... ......................@..@.reloc...s...0...t..................@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libscent35.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	927976
Entropy (8bit):	5.917840435230856
Encrypted:	false
SSDEEP:	12288:Syp5QtiR2fVE00WKL+YD5ndNpKrtvKXVsFpJppn72z+T73P+2QHkgFrGCZK:1POE00WKd5ndNpKrtClsFXnhT7ZAkgxO
MD5:	158D719030DBD08384235B165FC211CF
SHA1:	A8161B15C0BC6576829DA4BC0732794B0AB2E37C
SHA-256:	BC33C91BE3D31557B16F2B91B90DE96580C3CD2510E3C3D3B77E3D4CC8DBB0B4
SHA-512:	383E551FFC50D17E9A5B466E996614B5AF35BEB48A72A47CB7D5A35B68D68906E5ABADDAEABD439AA214BE28E7A27FBCA3872537D65D33CA64A53B513A924EDB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.(e...........!..................... ........@.. .......................`.......7....@.................................P...K.... ..................P,...@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........o..P............b...............................................0..M........(....~.....X.....r...p~.........(....(G......r-..p~.........(....o....}........0.......... ......{....rU..p~.........(..........(....o...... ...........%......(.....%......(.....o.....o.....o......ry..p .....o.....(~...o.......o.......+.....X.....o....o....&...X......i2..o.....0...............(.....4........(......-.r...p.....(....(....s....zr...p.....(....o....(.........(.....s\|...%o~...%~

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libzdtp.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	575720
Entropy (8bit):	6.4118078561661545
Encrypted:	false
SSDEEP:	12288:FoblSYniV7pA1yJVyfI1+RZSihzvjZh2Tx4UTFAzmp4ZZPy1KlU1E:sfI1+RZSiz2VlTF+XHlU1E
MD5:	82DE25B17C3B9D6BB253B6BE7AD2FEA1
SHA1:	6F6BCF23753F161D4DE444978C3EBC003D361B2D
SHA-256:	165FC9F929853B4AE8603BB0C7807456B99871A7C8E9078F95D954C466A7172D
SHA-512:	71EA0FE18F1EBDA98067460E6661FC108E7116E71651B0D05FB8365BDA92E1DBF02B89D20DF6B47C7557AC52877ED8EE503373164079C0F5C62EBF16439867C4
Malicious:	false
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$....................r.i....r.k.I...r.j....c.....c............X,_........................................n....n.....n.g..........n.....Rich...........................PE..L.....(e...........!.....v... ............................................... ............@A........................@...........x.......X...............P,......lJ......p...........................p...@............................................text....t.......v.................. ..`.rdata..\l.......n...z..............@..@.data....c.......(..................@....detourc.5...p...6..................@..@.detourd$............F..............@....rsrc...X............H..............@..@.reloc..lJ.......L...N..............@..B........................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libzdtp64.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	682216
Entropy (8bit):	6.095070464124169
Encrypted:	false
SSDEEP:	12288:rhqnA1JpofoqtokijtH2OMoVTP94CCIKGJToFTz/goFZKk:VqnALpPqXq92bEx4CCIKGJToFTz/gox
MD5:	3D7564C3B97E0DCC859CE8FAE51BF196
SHA1:	F6588DAA615A45E375AB4CD8153A3D9BBDC476C6
SHA-256:	73D11EF506C2282DBD45C4758F6C6B1352C596B1EC684BEF30778965D0774F1B
SHA-512:	C6021111CA8F0B8BBD111F85397C0F91DD2423B9168711296B484190CF5C43CABE6215AFE4533881F0F285FBB201D4974D7343E92F33681B1983BB1770110246
Malicious:	false
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........C".."LA."LA."LA...A."LA...A-"LA...A."LA.KH@."LA.KI@."LA#..A."LA.JO@."LA.JI@."LA.JH@."LA.Z.A."LA.Z.A."LA.Z.A."LA."MAd"LA.KE@."LA.KO@."LA.KL@."LA.K.A."LA.".A."LA.KN@."LARich."LA................PE..d......e.........." .........*.......^..............................................9.....`A................................................d...x.......X.......PF...<..P,..............p...........................0................ ..x............................text............................... ..`.rdata....... ......................@..@.data........0...F..................@....pdata..PF.......H...d..............@..@.detourc.h.......j..................@..@.detourd@...........................@....rsrc...X...........................@..@.reloc..............................@..B................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\lockkrnl.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	628184
Entropy (8bit):	6.631864802737484
Encrypted:	false
SSDEEP:	12288:Q9tUcJqS8DI9baOCmIJkPI9VYxPmb3pJ3xW2orMvM79G:GWKqS4OjlPUkmrpzWdSM79G
MD5:	BFF0CE8D5C44994EF19F63D63CC29EEB
SHA1:	B2837190927EE952721DBD5127C426D28FED9230
SHA-256:	08C6DDD72CD481672476625BAB435993F2F0C85F835B0313C593F46C49DE6781
SHA-512:	F527BB56DA57CA6BACDBA7871D65E48CA6ADEFE7F61240D766A6881C301B63C60063A09FA73E8BC64F40A01AD038B446B660A8ABC7719B84F1C6FE3654551420
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........<W..]9X.]9X.]9Xh-:Y.]9Xh-<Y=]9X.5<Y.]9X.5=Y.]9X...X.]9X.5:Y.]9X.5=Y.]9X.5<Y.]9Xh-=Y.]9Xh-8Y.]9X.]8X9]9X)40Y.]9X)49Y.]9X)4.X.]9X.].X.]9X)4;Y.]9XRich.]9X........PE..L....k%b...........!.....^..........=X.......p......................................c.....@.........................`................0...............V..@?...@..8F..pp..p............................p..@............p...............................text....].......^.................. ..`.rdata..jy...p...z...b..............@..@.data....8.......(..................@....rsrc........0......................@..@.reloc..8F...@...H..................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\mobileflux.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	117064
Entropy (8bit):	6.436398487030181
Encrypted:	false
SSDEEP:	1536:pxNcrXn306zvccqtaGYvPCa/I7206aawWKxocUoiZw+BpQR9oLMm:pXcD30gccqtanCM0Wwiw+BpQR9oL
MD5:	80907BE35290D47A8C6DF50A0B44DECF
SHA1:	DBDDA59DD78716AD28FD37BF2619FC183D27CAE0
SHA-256:	4C4853E4F3990FFD0B3D6EB1436A885559564C1065C26490B777EC9D3586A5C4
SHA-512:	09D05C3133569548F4F231F0E06F6F29D57195C927B908F973CB05ABDE6214CA1E07399CB32EA5EC02635D81409B2A8F8F6BDA21F6B51B2A02115C2DF95B3B88
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)g..)g..)g.. ./.8g.. .9.Mg.. .>..g......:g..)g..g.. .0.!g.. .(.(g..75..(g.. .+.(g..Rich)g..........PE..L...%..S...........!.....,...\|......H........@.......................................O..............................P.......4u......................................0B..............................._..@............@...............................text....*.......,.................. ..`.rdata...A...@...B...0..............@..@.data..../...........r..............@....rsrc...............................@..@.reloc..~...........................@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\netmstart.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	171592
Entropy (8bit):	6.633100643329799
Encrypted:	false
SSDEEP:	3072:2g5d8g4gNv+wAGzpjdNwCR5t9Owr5HQ6UnsaP5YCnF+wFxDA:xDRpSs5t0u5wbfQ6E
MD5:	FF07224F63F62ECC5C6F2DED09DEB0AF
SHA1:	D3ADF969B20A3E42032E60A87DBD69834A748C1A
SHA-256:	A9F37F82413889A66F7063991F5C2E6DBA05A35A245891039204A478DE318357
SHA-512:	92B763A682C9F479F539AA945F245940351983EC04829FB6D614BB7ABCADE60E2205244C583F63547CF83F4819503529FF01411E08C9CBA26972222D2520AA4D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..X.y...y...y...+-..y....<..y......y....-.y..5....y...y...y....#..y....;..y...+=..y....8..y..Rich.y..........................PE..L....].[...........!................F.....................................................@.........................`...........x....p...............f...7..............................................@...............4............................text............................... ..`.rdata...N.......P..................@..@.data....L... ...(..................@....rsrc........p.......8..............@..@.reloc...".......$...@..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\np360SoftMgr.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	243944
Entropy (8bit):	6.56760832272308
Encrypted:	false
SSDEEP:	3072:YdtvVq01U5wXzfoUEwDTw3lCovmHDBYOfdv2xJ82wEdl/NPgqddBumr5365mwkq/:yNI0O4awI3AYqYEv2QIdZTJJYD1Y1a
MD5:	FA85435627D31663BECB82EFFDFBE2BB
SHA1:	C3D9EEA92EF90E652F500A1F900DA4E20A010C2A
SHA-256:	7E0343BC0108526442E8B3FE7E538272FA6240E425BD8F318924573B59BD9DFB
SHA-512:	7DA0E76E88D8E78D23E7E6BE0A184BF52DF5032113DFEBE087C3463AD990BE38CD4FD34586CCD367B381AE749F16E04573CF91E4B3D7A235A865D175FAACBDA8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................f.*......)......?.......8......}........z.....6.............(......-....Rich...........................PE..L....6.e...........!................3.....................................................@......................... G......\:..........h...............P,..........................................@...@...............<............................text...x........................... ..`.rdata...x.......z..................@..@.data....D...P.......<..............@....rsrc...h............T..............@..@.reloc...-...........\..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\npaxlogin.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	404296
Entropy (8bit):	6.509440609680588
Encrypted:	false
SSDEEP:	6144:iwa9e5G4aES0Qux3nNj43ziT7U2mSBzRD44shPBTLaqqDL6UbwHUu:Y9exL3u0U2pBzm4sxBTrqn6Unu
MD5:	630AE5740C702AF919BAED414DE8CFE3
SHA1:	26A50EFF049B2DBC24BE11411032172E82B37B04
SHA-256:	C3F08B4843DAF466148EE99DBD0D300B2A92BB695FCDE001E288189A3582300E
SHA-512:	A714A6F13CE33D8EC31772F180F611C491110D438019D4FCD88F2EB114B41FBD28878B8B9C6BA723D892405DC825917EF1D4868FFB66069ABE49E5AF286F491F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t..,t..,t..,}.\|,y..,}.`,n..,}.f,o..,t..,h..,}.v,...,}.q,...,}.g,u..,}.a,u..,}.d,u..,Richt..,........................PE..L...[AVS...........!.....N...................p...............................p............@..........................x...... f.................................. 5...s..............................8...@............p..d............................text....K.......L.................. ..`.orpc...3....`.......P.............. ..`.rdata.......p.......R..............@..@.data....Y.......:...\..............@....rsrc...............................@..@.reloc..hc.......d..................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ntvbld.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	MS-DOS executable PE32 executable (DLL) (native) Intel 80386, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	60896
Entropy (8bit):	6.847633229504993
Encrypted:	false
SSDEEP:	768:NnCuEmXB5UMI3nhKrbZCWg/0/NC8hUDVsa0T1zj9KyhaMQNDG0uKjKj9MPgkz:N7Rx5Ulll8/H+x0T1zj9lHeMy
MD5:	690612154E7E5233AA980016CEAEDEDD
SHA1:	9B16E2F3D799EA506AA6A8F53FA4DEB36D73F5D4
SHA-256:	FFB81D34A14B5837AC713657F7892E790F85564BC2BA792025B0F9E9E0959AD7
SHA-512:	1F93AF0CA40DB562F7ECDBF19A0D899044BCF1F181B03E57E6B6F2C72F532652798023612BE9DEFE6261D631D10898D30ADB28EEFF922B72734B4DB27189C210
Malicious:	false
Preview:	MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!........h.T.....................q.......q.......q.......q.......q.......q.......q......Rich............PE..L......a...........!.........\......2=.............p................................s`....@.........................p...........(.......h...............H?..........................................0+..@............................................text...v........................... ..`.data....F..........................@....rsrc...h...............

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\pluginmgr.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	171848
Entropy (8bit):	6.451554967739461
Encrypted:	false
SSDEEP:	3072:NQbFXbsJHCPNUzpNd0hq6pPyNVD/fAudYMi429OYHUMu73zE55C8f:atWpnztVLffdYLN8YHa7w
MD5:	9828C8A355EA0F393260D6E3F7D511E5
SHA1:	DC587D4215DC083A35E4BBEE095FB3FB07A73C33
SHA-256:	B0D6D85D02E7650E03AB9AD04E90341EF6F5421DDC2AAA7AE65692944C298671
SHA-512:	178D1AF5ABB116762C37714F2C142DB02BE9AF8B0C9BCD4948DE122583A9C815E1AB1F709E3167A096947CCCCD6ABEDC4BAB7ED405D207F097BD35640926205A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........xL.+L.+L.+..+M.+E..+^.+E..+1.+E..+u.+k..+].+L.+..+E..+].+E..+M.+R..+M.+E..+M.+RichL.+........................PE..L...P.LS...........!................D.....................................................@..........................2..M....'..x...................................P............................... ...@............................................text...'........................... ..`.rdata...S.......T..................@..@.data...HU...@...,...(..............@....rsrc................T..............@..@.reloc...#.......$...^..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\probe.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	304640
Entropy (8bit):	6.443933218835315
Encrypted:	false
SSDEEP:	6144:1AXDdMpEeHyH/D1kApvwp+ZniFARcRdhAGXPR:1Az6WeHyfDOAdwp+doARcRdh5Z
MD5:	BB752561CE0859324FF01369BA8D25CC
SHA1:	8C42AA1FF9060E58CFFD0EE9997DF134FB3E8739
SHA-256:	A243D55655789EF26972546B7DC9723953564F52AE1C46087CCC2DB96F5B8D83
SHA-512:	0C493C6868F4E2D90E3FCD6B71116769F2FA2F61740BCB9671B1DEEFC4628BE05E4441CA2008F6AD3F72BAE7C14028A7565CC2FBE68478E620F3CF9418357182
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&PLYb1".b1".b1".kI..s1".kI..^1".kI...1".E.Y.o1".b1#..1".kI..n1".kI..c1".\|c..c1".kI..c1".Richb1".........PE..L....r.\...........!.....`...........?.......p......................................Cd....@.........................@%..B...X........p...............n..h7......@#...r..............................(...@............p..d............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data....6...0......................@....rsrc........p.......2..............@..@.reloc...0.......2...:..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qroscfg.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	138056
Entropy (8bit):	6.637936005523512
Encrypted:	false
SSDEEP:	3072:LKDfRbUTKLoDy1wSSH/2Lq62enAhXx2+EKI:KJITHu1wZf2Lq62UAh6
MD5:	F62317FC61CA698D45A54C0F7A8A78B8
SHA1:	F61D256EA3E3DD85CE7C44DC61AACC93E720F692
SHA-256:	59DC54DD624E26D07EE8A908476EE67DCC3B6BA690F566C30B5522B6DCB8EE85
SHA-512:	C06E046EDB18EE40D63411AA689280A73EBBEF3CE6977C51F629C43E6A6314895BCF2270E43CB1D9DD847B33874BC812778ACCEC07ED0FBFB9791556027FFCAD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./.j&k..uk..uk..u...ui..ub.uz..ub.uR..ub.u...ub.ux..uk..u...ub.u\|..ub.uj..uu.uj..ub.uj..uRichk..u........................PE..L.....,S...........!.....N...................`...............................P.......T....@.............................L...\........ .......................0..T...0b..............................8...@............`...............................text....L.......N.................. ..`.rdata...k...`...l...R..............@..@.data....A..........................@....rsrc........ ......................@..@.reloc.......0... ..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qutmipc.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	170856
Entropy (8bit):	6.55483314591404
Encrypted:	false
SSDEEP:	3072:4JJiNkByXIzFu3wK672soO82qUyleRR2v6eY8lMnu+wqH6F3:477yIzFfKTsS2qUKeXC5lRR
MD5:	7EE49A57339ABCC35FCDE25D3F5EE8D9
SHA1:	7A7F471DADD973CA57C79C43D93828B4496570E8
SHA-256:	DC477A4B41CA92D94CB7092B458F35DEF2EF6F9A0B23A237A363E341E22AEABB
SHA-512:	F978F6C882D80CFD87B2EF75EBB1C18C9BFB6759D28C0F503395217373AE241E5B08212D4D42373F6B94AFFBF775959E06BD1CAD5D09C488DC139906A0D4AB4B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$...`..R`..R`..Ri.]Rk..R.BRb..Ri.ARr..Ri.WR...RV..Rb..RV..Rc..Ri.GRq..R`..R...Ri.PRZ..Ri.FRa..R~.@Ra..Ri.ERa..RRich`..R........PE..L...f..]...........!................K.....................................................@.............................a............................f...4..............................................................d............................text............................... ..`.rdata...O.......P..................@..@.data....n... ...(..................@....rsrc................8..............@..@.reloc..<#.......$...@..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qutmload.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	111336
Entropy (8bit):	6.7222941004358425
Encrypted:	false
SSDEEP:	3072:PTxwTSQCdxm/78XLv6JYZeD9GIn+uowP0T:PCzCeeeYAD9E5T
MD5:	8719E73BC84D506FE7F0D367AE46ED20
SHA1:	D60A1FF7B2478ACDA7C5C1730E0B963594311FB9
SHA-256:	C110E1FF4F233669F1E035129E137ACED1A3632D17A8302502D160DC16FA9AF0
SHA-512:	AE00044E9EE7B5AF66105067877AFD68D79ECEB6C945CC07F390D15A2E1C0832C578146E6B0657FD8A29F865EC6DB78DEFEB7C1BA7E3AF0D1427EFD22A67F8B8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........z...z...z.f.'...z.....z.......z...{...z.....z.....z.......z.......z.....z.....z.Rich..z.........................PE..L...Z.Xd...........!.....Z...........A.......p...............................`............@..........................X..[...TM.......0..................P,...@..t... ...............................8%..@............................................text....Y.......Z.................. ..`.data........p.......^..............@....rsrc........0.......d..............@..@.reloc..f....@.......j..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerIC\holder0.aiph

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	data
Category:	dropped
Size (bytes):	42733846
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	6226B504352339D1F6D3ADB0D02119B0
SHA1:	B415E19CFA4555BDE778C695626D752732A739FE
SHA-256:	011540BA483A93324CFD6E720745F80246633A118AB2DDDEC16B4BDDE1E4DF94
SHA-512:	EE3CB529DD63E3F2C0782C18F32798021E72B6AC4B1BB30704202195710FD7C981FE2123B4C99A6C1AF60BE1E5B734665394F64466201D11AAF8504E114B43D2
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.2401865105070087
Encrypted:	false
SSDEEP:	6:kKTn9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:yDImsLNkPlE99SNxAhUe/3
MD5:	69D392617FDA8CDDC1031897D3C1420A
SHA1:	483AA385A38150BD5DF3923CFC689ABFA44604CD
SHA-256:	8994C57954E0D7B0ACEFF0EAD4FE08BF1C04A7F32D9F362EA88E657BE47773DC
SHA-512:	2995935391360FE5CDFC73B16228E2003BB3D0063C3468D7B5D09C334E83E16B4BD1201F7745E1E72576761370B3D79F235470F7411FA24CE6EDBD3E8013814B
Malicious:	false
Preview:	p...... ........x....a..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\AdvinstAnalytics\6627be3e20a59ade4c1add8b\1.1.6\tracking.ini

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	27
Entropy (8bit):	4.088220835496803
Encrypted:	false
SSDEEP:	3:1EyEeBn:1BEYn
MD5:	4AE8A010782B10391BA0AF6F4DC3B667
SHA1:	48999DD7C62D642974049463C4418457572177D5
SHA-256:	C0B2445FCAA83FA4F12DCCEB286EAEB5D278E06DC27E549F49E1547B36A046D5
SHA-512:	96C1551461FDAFFDF8B9F37198FB2BC1CD18B0B27494E94705DD6A2AA1F4EA17C5014E0F2C54E6B436D796BED334FD6AD637D374804ED1815488D4801FC183E6
Malicious:	false
Preview:	[General]..Active = false..

C:\Users\user\AppData\Local\AdvinstAnalytics\6627be3e20a59ade4c1add8b\1.1.6\{63C74B52-50AE-4A4E-8A05-844E686FBC0B}.session

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	33478
Entropy (8bit):	3.7089721458694043
Encrypted:	false
SSDEEP:	192:GJrhrXrgZrzr2yrQrdirMrhrozrorr6LrLrVrOrUrGrgr7rUr/rIr1rWrvrVr2rg:GEvtKjUCT
MD5:	474C54F634CADCD7687C7323DBCF20D5
SHA1:	E3AEB54C0732961B67F09406124A13502BC0DEE4
SHA-256:	EBBFBD1FB470D04A59D28BDF0FBD021A4A8AD3D9BA52D9228C2D0B447C807ECE
SHA-512:	A2862F7DB7C80F76FD106F5A237053F4843967FEB1C5DC52641FD8014C781FDA4962BE8E45B3A035DCBFE079E3EF8ED998DC7A4F1520DC8C4A8CDFAFD86AAE4F
Malicious:	false
Preview:	..[.H.i.t. .{.6.C.0.A.9.5.B.2.-.D.C.E.E.-.4.5.E.B.-.A.E.7.2.-.2.2.4.B.0.D.1.8.5.6.9.A.}.].....Q.u.e.u.e. .T.i.m.e. .=. .1.5.....H.i.t. .T.y.p.e. .=. .l.i.f.e.c.y.c.l.e.....L.i.f.e. .c.o.n.t.r.o.l. .=. .s.t.a.r.t.....P.r.o.t.o.c.o.l. .V.e.r.s.i.o.n. .=. .3.....A.p.p.l.i.c.a.t.i.o.n. .I.D. .=. .6.6.2.7.b.e.3.e.2.0.a.5.9.a.d.e.4.c.1.a.d.d.8.b.....A.p.p.l.i.c.a.t.i.o.n. .V.e.r.s.i.o.n. .=. .1...1...6.....C.l.i.e.n.t. .I.D. .=. .E.9.A.F.0.2.5.3.9.3.1.1.2.6.4.8.4.B.3.6.9.A.5.7.0.6.B.B.9.B.8.5.C.B.9.4.F.4.8.9.....S.e.s.s.i.o.n. .I.D. .=. .{.6.3.C.7.4.B.5.2.-.5.0.A.E.-.4.A.4.E.-.8.A.0.5.-.8.4.4.E.6.8.6.F.B.C.0.B.}.........[.H.i.t. .{.7.0.B.1.9.3.1.D.-.3.6.2.6.-.4.0.9.B.-.9.D.9.5.-.9.6.F.0.E.6.4.D.8.D.D.0.}.].....Q.u.e.u.e. .T.i.m.e. .=. .0.....H.i.t. .T.y.p.e. .=. .i.n.s.t.a.l.l.t.y.p.e.....V.a.l.u.e. .=. .i.n.s.t.a.l.l.....P.r.o.t.o.c.o.l. .V.e.r.s.i.o.n. .=. .3.....A.p.p.l.i.c.a.t.i.o.n. .I.D. .=. .6.6.2.7.b.e.3.e.2.0.a.5.9.a.d.e.4.c.1.a.d.d.8.b.....A.p.p.l.i.c.a.t.i.o.n. .V.e.r.s.i.o.n. .=.

C:\Users\user\AppData\Local\Temp\11561\....\Microsoft.TransCompositia.msi (copy)

Download File

Process:	C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	157184
Entropy (8bit):	6.4699325010744015
Encrypted:	false
SSDEEP:	3072:tJpAAXru5+rs45R7H0fABoTRo3hJjfP8mr:tJpAAXru4Fj6soT2LM0
MD5:	C50F56319C92BC129039E3860294AB5D
SHA1:	470ED2516A0FF86F25C7CEBE3084E238CA8879A7
SHA-256:	56E8A343602DDDC6D7B6A787827801A3D2BA69ABAF1C61874EF9286C2D288C6B
SHA-512:	20451481425424167EDF4D8C1562EBD7619D5FA0D4BB46C1C30840C9E63C617F94B281C294E3FBEDD290A76C543E4A1C3518B8E66D919743B9CC1F966D8E0CE0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`. ...s...s...s.w.s...s.w3sr..s.y.s...s...s...s.w2s...s.w.s...s.w.s...sRich...s........................PE..L.....#g...........!......................................................................@..........................=.......6..<...................................................................0...@...............0............................text...C........................... ..`.rdata...^.......`..................@..@.data....:...@.......,..............@....reloc..$........ ...F..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1736323119\....\Microsoft.TransCompositio.msi (copy)

Download File

Process:	C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	174304
Entropy (8bit):	6.858552596804119
Encrypted:	false
SSDEEP:	3072:Q0HJ5wo1/MJjozYJimE2BamDKigu/fgl1glfdjgBftJeCE5vLEnM7QrRz:/J5wUmhkmDKVuE1gQJeCERLG1F
MD5:	0D318144BD23BA1A72CC06FE19CB3F0C
SHA1:	91A270D8E872EA2A185309CA9CE5D9F08047809E
SHA-256:	60503684F39425C5505805A282EB010ECB8148BBF7EFE9BBA9CF33C507AF7F3A
SHA-512:	A3F3C7D84644B13868AC324947C2D678620E341E368B781D45F244A53F448D6B24BE7B50AC9908728DFBBB74214FCB46902137910E907F14F601518C0EFD215B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.A...A...A...,...H...,...;...,...Y...z...S...z...S...z...d...,...D...A...........C.......@...A...@.......@...RichA...........PE..L...V.]d.............................#............@.................................Z.....@.................................48..<....p..0............`...H...........*..T............................+..@...............$............................text............................... ..`.rdata...^.......`..................@..@.data........@.......2..............@....gfids.......`.......<..............@..@.rsrc...0....p.......>..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\31563\....\Microsoft.TransCompositib.msi (copy)

Download File

Process:	C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	667648
Entropy (8bit):	6.655676024268379
Encrypted:	false
SSDEEP:	12288:G36HjCm6ltuRXQ/g+hVfW2LDzeLA5rJWutAWQSHOALXB:VCm6ltuRXKg+hVfWkDEA5tDuyX
MD5:	BA4ED2E6B25A8C9EDA3DA4CE85A5054D
SHA1:	C3B2EF12347E0C5206B4C3959FA96CD7F064F10C
SHA-256:	31370AB9ECAFEA8528D0C844C34B7721042C93A8E45278C4452B62ABAADE9182
SHA-512:	87C10EA2B82D79BD96CA453D808D937841A45CEE331E5914E5B9A7D6665BB41864D90E08E47F4000C1EEBC64F1E4035B010F545B2068B3604A7B8C87F1D30DBB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........xt..............a.......a..W....a.......l.......l.......l.......a..............l......l......l......l......Rich............PE..L....+.f...........!.....f................................................................@.....................................(.... .......................0...K...[..............................8[..@............................................text...cd.......f.................. ..`.rdata...Z.......\...j..............@..@.data....2..........................@....rsrc........ ......................@..@.reloc...K...0...L..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4099515\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58368
Entropy (8bit):	6.398722888372975
Encrypted:	false
SSDEEP:	1536:qjw1c0DJ1xDL8lCXy60KlCXy60vcbvM1id4xSu:T1HPxD2Cj00Cj0C00WxS
MD5:	56867EECC2042A0FD681F3B90D365A16
SHA1:	021DAC119F8E115E6DF308DB85BC8760078D9719
SHA-256:	48F8313380BC6FA33172888B8FD9874A6ED5465213BACB9F8D5C2BB3AB37BAEE
SHA-512:	EBB40D1E1A7F6B9E9480E544A67C9383D53A708547ACBA787BFD7C5699E491EAD7FAF714C5D84407B3D9A1DD2051205E0A299EAEECEB44422E3874C5E55CC65A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........FJo..Jo..Jo..%.U.Ho..%.W.Oo..%.c.Ao..%.b.Ho..C.Z.Oo..Jo...o..%.f.No..%.R.Ko..%.T.Ko..RichJo..........................PE..L...83^f...........!.....2...........9.......P............................... ............@.........................@...]...L...P.......................................................................@............P..,............................text...40.......2.................. ..`.rdata.......P.......6..............@..@.data...............................@....reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4099546\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	7.484270190239562
Encrypted:	false
SSDEEP:	768:tUqX/E3rJA4ZX6xUrLGwk9xAlvcuHnYoq7MNC3Il:tUc/+vKGnax8ESY17WkI
MD5:	63F6D9FECB240388D69CB668CFE50C00
SHA1:	2B67BB8AA45A9D0383E76F15E631C1131B28BB1E
SHA-256:	678D6ED15F6150BFD5BA8E823CF877C32BB492E8557E107FAC77143DAD3724F1
SHA-512:	176B096493206D2DADB17D778E959855DEEF0EC8D5343C09790CA6C067A338ECE44138FA9081888CAA2228A041D2A8C71B085AD8FEFAFE479505F667F6D2B7E6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#;\.gZ2.gZ2.gZ2..F<.rZ2.Q\|8..Z2..Uo.bZ2.gZ3.7Z2.Q\|9.sZ2.gZ2.fZ2..E9.eZ2..E6.fZ2.RichgZ2.................PE..L.....lf...........!.............p..................................................................................0...l...........................................................................................................................UPX0.....p..............................UPX1.............v..................@....rsrc................z..............@......................................................................................................................................................................................................................................................................................................................................................................................................4.21.UPX!....

C:\Users\user\AppData\Local\Temp\4099578\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	177
Entropy (8bit):	5.2011029533052096
Encrypted:	false
SSDEEP:	3:FCp/32ZmsmyR73wy82K9oYGyvA9id2sycyMcVqotTBAtoZht3wetdQQqi5xQn:F+mdR73wv9oYnvA+yLM+At2t3wgCQPxQ
MD5:	E7EE8D889FBD33DED17EE00BC9E98ED0
SHA1:	A153B28DBB602C58A606A44906F38128E85CD285
SHA-256:	2BA624377B2B788ABF3A248D956FF743E93F06746D3D2F220A2257AD94DA540E
SHA-512:	006D57BA2F48792DB028437F814618F19AC2D21EA1A1E9BDF39F5853536441B3436BAFB866917CC6708B21C58D93495501DFA5B345F55BC49FEF766812E46DF8
Malicious:	false
Preview:	[XLY]..P2=LJBPHRBSRLCI.FNG..P5=IWLHTVJXHINUWUFBWIU..P4=FNCUNPTNLBMW.DNA..P7=AEXIKRSDXTBGHJSHHPK..P3=KKVIOQVTEUTA.OKO..P6=RFOLHRLVLKWUMQMLJJA..P0=DAN127..P1=e8a0d5af432b7e64DBD..

C:\Users\user\AppData\Local\Temp\4099609\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1390312
Entropy (8bit):	6.599443687044708
Encrypted:	false
SSDEEP:	24576:w4wwwwscgymwef8Z8Zzj6z1el68mUi1m/ONxdDDHNCU+3kvaBW7839l5Qafgb6L1:pwwwwscgymwefyEQ/U6/NnDDHNCTeaBf
MD5:	292575B19C7E7DB6F1DBC8E4D6FDFEDB
SHA1:	7DBCD6D0483ADB804ADE8B2D23748A3E69197A5B
SHA-256:	9036B502B65379D0FE2C3204D6954E2BB322427EDEEFAB85ECF8E98019CBC590
SHA-512:	D4AF90688D412BD497B8885E154EE428AF66119D62FAF73D90ADFFC3EEF086CF3A25B0380EC6FDC8A3D2F7C7048050EF57FCEA33229A615C5DCDA8B7022FA237
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0...0...0...9a.=...9c.I...9b.(...b......b.. ...b..&...9...1...9...7...0........4................1....o.1.....1...Rich0...........PE..L....x.c...........!.........~......x7...............................................~....@.........................P...\|......P....p.................P,..........0...............................P...@............................................text............................... ..`.rdata..............................@..@.data...0........4..................@....rsrc.......p......................@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4100546\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
File Type:	data
Category:	dropped
Size (bytes):	2713088
Entropy (8bit):	7.9358560764847
Encrypted:	false
SSDEEP:	49152:gCE0mvBnEwvJm7T8UyHNzeBBHKZlYU13/1wUqq7vf2h0Vw:gCZmvBEqUyHcclt/mUCOa
MD5:	C625FE50C8CBC877CBFAF1D5212F02C0
SHA1:	90763CBEB446C7638F80851E55AF9976285DC56C
SHA-256:	F8890DFA4609D9CB2CA685339468C5256356066CF91AB13C9A771A3B8A566D12
SHA-512:	898703B75D27A9EE5055965BE16D7DEFA482A4199D6C008E539A0102230743AD4540945B76E78804F4CFA99D3DE79B9584D91F6C74C3FF2E6B8F4CC09E7F472C
Malicious:	false
Preview:	...SLSSSOSSSPPSS.SSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS[SSSA..AS.J...R..................................FFE.SSSSSSSB.....t5..t5..t5..x5..t59..5..t5y.~5..t5...5..t59..5..t5..u5..t5...5..t5..t5..t5...5..t5..p5..t5......t5SSSSSSSSSSSSSSSS..SS.RLSd..SSSSSSSSsSA.DRISS.SSCSSS3.S.E.SS#.SSC.SSSSCSCSSSMSSOSSSSSSSOSSSSSSSS..SSOSSSSSSMSSSSSCSSCSSSSCSSCSSSSSSCSSSC..S.SSSSC.SCMSSSSSSSSSSSSSSSSSSSSSSSSSS...SGSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS....SSSSS3.SSCSSSSSSSOSSSSSSSSSSSSSS.SSs....SSSSS.SS#.SS.SSOSSSSSSSSSSSSSS.SSs....SSSSSCSSSC.SSOSSS.SSSSSSSSSSSSS.SS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS....S....FJKH

C:\Users\user\AppData\Local\Temp\4100578\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	333824
Entropy (8bit):	6.389952178495305
Encrypted:	false
SSDEEP:	6144:WyEhWbJNOcWd55OHSCw1ohITXVvrJGqdK2Dug6dGXLSuMAFi2TBfR:Wlu1IjOIohILJrc4Ezui2TdR
MD5:	EC9483F4B8C3910B09CAAB0F6CB7CD1B
SHA1:	9931AAA8E626DF273EE42F98E2FC91C2078FDC07
SHA-256:	4D9CAE6E2E52270150542084AF949D7B68300E378868165FF601378A38F7048F
SHA-512:	84B60FE3CD0EDE19933B37AE0EAEBA1F87174A21BC8086857E57C8729CEC88F9FEF4B50A2B870F55C858DD43B070FD22FFEC5CB6F4FD5B950D6451B05EB65565
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..S...........#................ .............$k................................. ........ .........................c.... .......`.......................p..\|$...........................P......................."..h............................text...T...........................`.P`.data...t...........................@.`..rdata..L.... ......................@.`@.eh_fram............................@.0@.bss..................................`..edata..c...........................@.0@.idata....... ......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..rsrc........`......................@.0..reloc..\|$...p...&..................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4100609\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1063616
Entropy (8bit):	6.674869382282474
Encrypted:	false
SSDEEP:	24576:2ODivXdRxWmQOhfbV5l7kZLWfGPeu/PUw6WmARlXDMmH6PBzT/Cn+m4q:2OuvbfGZGGKJT/Cn+Fq
MD5:	4FF45827EC92E40935F9939142CD40DC
SHA1:	CAD74928F3387E6BF28C3625803706061E956B34
SHA-256:	012ED8D16E9F7586FE44C0AFFE5BEA6FF68F27231A6526D439643869A103E434
SHA-512:	A3DFE7976E5FFB4BA0C68E218C0924568D343E7937ABB50785107DE5E0ADC11AD58A86E02FABB455845FBE8E545E48B57A67EB647C664390ED521D255FF3BEFE
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...~/._.....................j...................@................................. ...................................{........3.......................@...........................................................................................text...0z.......\|.................. ..`.itext.............................. ..`.data...D...........................@....bss.....e...@.......0...................idata...3.......4...0..............@....edata..{............d..............@..@.reloc...............f..............@..B.rsrc................V..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\Temp\4100640\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	388808
Entropy (8bit):	6.5956896905460125
Encrypted:	false
SSDEEP:	6144:B9su6Bohl2JJmgk1G8M0uQoRkQsKwxBF6CaSIU9ILZxxB5ARUWvAX+E:BSohl2JJmgk1U3QMkQsTx3paSIUixGRI
MD5:	B8253F0DD523BC1E2480F11A9702411D
SHA1:	61A4C65EB5D4176B00A1FF73621521C1E60D28EA
SHA-256:	01CEE5C4A2E80CB3FDAD50E2009F51CA18C787BF486CE31321899CCCEDC72E0C
SHA-512:	4C578003E31F08E403F4290970BC900D9F42CAA57C5B4C0ACA035D92EDC9921BF4034FC216C9860DA69054B05F98DADE5F6E218AC4BEE991BC37A3EF572FE9A0
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...8..^..........................................@..........................P..........................................c....p...........N...............<.......g..................................................Ts..P............................text...T........................... ..`.itext.............................. ..`.data....).......*..................@....bss....<X...............................idata.......p......................@....edata..c...........................@..@.reloc...g.......h..................@..B.rsrc....N.......N...d..............@..@.............P......................@..@........................................................................................................................................

C:\Users\user\AppData\Local\Temp\4100671\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1165576
Entropy (8bit):	6.491752155251347
Encrypted:	false
SSDEEP:	24576:ptf4OLWmQQ3b6ZVtecP3Ufy/ilDqzybXIZ0xKHpWq0dGcz7msH0WQWmAdA7yJBzA:tLDlDgRGxKHpSJ28TU
MD5:	D75E14313FC8A0850F3190CE67509475
SHA1:	74474830BC0706E5C0A8B455A4E1B47D9F1DE741
SHA-256:	E5C711BDB99AB55EBD96B3636C7396566C98ACFFD03DF735A15F1E18936A718A
SHA-512:	A4260F1A9A77BC41FC54532BDBF51F831004767E08150BFF95374663930BBE4FCA81790AA4578C062674557A02A698EA798CFC00F2355F6B8FA71BF2915CBAAA
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......`..........................................@..........................0.......4...............................`..e....@..v........^...............A...p...Y...................................................C...............................text...x........................... ..`.itext.............................. ..`.data....".......$..................@....bss.....Y...............................idata..v....@......................@....edata..e....`......................@..@.reloc...Y...p...Z..................@..B.rsrc....^.......^...*..............@..@.............0......................@..@........................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\New

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	2.9169468593135157
Encrypted:	false
SSDEEP:	96:+f+OFx/DgstjfDaf///////aorGbaX8PSccl1q12xfnW1orsKc:+WqDgOQ///////aoZsP+/qAVnWursKc
MD5:	1E80DE80CEFEE55D7CFDA0DF2EDCF3B2
SHA1:	6E567D732354BBB21F9A57BBB72730C497F35380
SHA-256:	4E64F4E40D8CBFF082B37186C831AF4B49E3131C62C00A0CF53E0A6E7E24AC2B
SHA-512:	5EFEA023B18FFD5B87A19837BA2C72C179B55B7C3071B773A032C63D7268DBE25E2902AE8B111AD83A4F005346B378C7A75033ADAEE90805BCB4FEC2822E54C0
Malicious:	false
Preview:	......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\Up

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	2.7901346596966383
Encrypted:	false
SSDEEP:	192:+n5lkX/1//AJffffPTb6ylHJxnSfFN5pM2C:+5lkX/K
MD5:	FD64F54DB4CBF736A6FC0D7049F5991E
SHA1:	24D42FB471AAA7BCD54D7CCB36480F5ADD9B31D4
SHA-256:	C269353D19D50E2688DB102FEF8226CA492DB17133043D7EB5420EE8542D571C
SHA-512:	EC622AFAB084016F144864967A41D647E813282CB058F0F11E203865C0C175BA182E325A6D5164580FF00757C8475B61DE89CCC8E892E1B030E51B03AD4EAFB4
Malicious:	false
Preview:	......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\WHelp.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83968
Entropy (8bit):	6.283009388320045
Encrypted:	false
SSDEEP:	1536:Qi12LEaWOxM9hYukoDe3RLKXUID/ERcpB31zxvSmSsW8JzY0cdyRe5fOXbhX:WWO0ioC3DID/ZxvpY1yRe5ObhX
MD5:	0CD6E3C177AE2D5491D06F05748147D1
SHA1:	18934C204E18D3DB17EC07A8B67A79DE38A24D6B
SHA-256:	C6168948683071FF85C9504F988B72B1F341A7BF4A77E1591F827AEF1514B805
SHA-512:	B66663DB171976DBAE987A994B887F687CC807402A95D55802EDE2BB23907B360C9548B40F4D6D59C05B32CC7E8E77081F5B1703B27E2CD0664DA15C490DD5E4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........w...$...$...$...%...$...%x..$...%...$...%...$...%...$...%...$...%...$...$...$;..%...$;..%...$;..%...$Rich...$................PE..L.....Zg...........!................,.....................................................@..........................;..P....<..<............................p..@...`/..8....................0......./..@...............8............................text............................... ..`.rdata...c.......d..................@..@.data...`....P......................@....reloc..@....p.......8..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\blue.jpg

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 355x304, components 3
Category:	dropped
Size (bytes):	7379
Entropy (8bit):	7.675014430898698
Encrypted:	false
SSDEEP:	96:Zs7nc2Efd4WLNlTSGJG8J+F1sGaPEl1M5np44DE4wA2A+fHDeGWhzrd7yf8TJWpC:ZsA2DqTRUUQMT4LxjPWhzrNyiFI5Ip
MD5:	6F1B5342D1B781596A4FEC79112DCB0C
SHA1:	08BDEDC9F65FC3A5F6D13D3EF0502769ABE4BD05
SHA-256:	3986699B9B4BE2F8C1747A37E74943F78870623701F08C90CAA007B4DE17924C
SHA-512:	FAE8A651E1DAF872A24FAE87D477F286CAD599DC232A716DBBAD7F091236DA80C71C30B990B6E2F4FF7E06D4414876DB756B452272A9A3E4B3EC1BC32B9E30D5
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......U......Adobe.d.................................................................................................................................................0.c.......................................................................................!1AQ..aq..r....."2BR.S...b.....#3C.%...c$4TE..&..d.Ue...5F.......................!1Q.."A.R....B.a..............?...}.)I..k....[.W.........z.(..`...[.`..P.kC\|.U...V*.R..X.)5J...).\|.c)..[O.....S.k...wo$.9r......>e.l..8nH.o..}is...{.....8jH....Os..r7$r....F.s..rk]3....;.e...d..8..%...o.W.Y>rk]3......b...?..9..g...\|.........5..x9/w.~....u.....\|#.}..,.o4...&.........Q]....+).....tq..\...w....~0...r......T.......j..\|#..._1...y.}.........>d..<;.y.}..&.?W.......2.....%..E..&.....;...!.....yoW/po..W.hmt......#...v..........o7..R'Uv....O..~a..{..y.......m_....\|...t....}.........>..D......x.\|..6..~..a..>m..~w..oW..Hm'..L.8......vV...nG..w..s.[....3.....<BN..}.If...&..&......\|..s..c}..

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\cmdlinkarrow

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	MS Windows icon resource - 3 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	2862
Entropy (8bit):	3.160430651939096
Encrypted:	false
SSDEEP:	48:QFFZ+f+zd+kHeNTM9/+Xz++++++++YWWS0i6I:QFFEw4Xc+D++++++++ypi9
MD5:	983358CE03817F1CA404BEFBE1E4D96A
SHA1:	75CE6CE80606BBB052DD35351ED95435892BAF8D
SHA-256:	7F0121322785C107BFDFE343E49F06C604C719BAFF849D07B6E099675D173961
SHA-512:	BDEE6E81A9C15AC23684C9F654D11CC0DB683774367401AA2C240D57751534B1E5A179FE4042286402B6030467DB82EEDBF0586C427FAA9B29BD5EF74B807F3E
Malicious:	false
Preview:	..............(...6...........h...^......... .h.......(....... .........................................................................................................................................................wv....."""""o.."""""o..www""......"/.....""......"/......r.........................?...........................................?......(....... ..................................................."..... .". .6.-.9.;.<.;.D.3.,...4...9...O.,.Q.$.M.2.S.:.\.1.U.$._.1.F.G.I.A.`.@.w.q...\|...q...{.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\complete.ico

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.432735724336821
Encrypted:	false
SSDEEP:	192:lN3tnZnyRZF64hc28fwy+aXE25b6K0FHQHVd42oJ2zwZlaw484:lN37Yai8IaD5T0FHQHg29wZla04
MD5:	3EAFE3AE99BF33E9F59D970F21EBEF39
SHA1:	E9895CB920FDEB8907CE37D9666D4999A1DE5D2F
SHA-256:	5F6C78970EE7E3D668EB8A4ACB5D251C76599424A0B0372E7665527516D4C312
SHA-512:	8983717D464AC046A8A272276E90D3D1FD7900D2D89998FC332E420ECA4F01FCFBABB390667B4324C549D0655E62E181E3E7BEED514C5B9B67D0F8D480A9388D
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`..........................................................................................................................................wwww........................p..p........w...........p.w...p....x.....p.....pp........wx.............p....................q..............................................................................................wwww...............................................................................................................................o.....p.................o.....p..............................................................................wwww........................p.......................p......................pp.....p.................p......w.............q........ww`h....................wwp.........p..........wwwwp..................wwwwwwp.....p...wwww....wwwwwwww.gp..............wwwwwwwww...............wwwwwwxwwp..............wwwwwwx.ww..............wwwwwwx.wwp...........

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\custom.ico

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.4001074083138745
Encrypted:	false
SSDEEP:	192:lN3tnFnyRZF64BiTfwy+aXE25b6K0FHQHVd4RhE2zwZlaw484:lN3XYa5TIaD5T0FHQHgRfwZla04
MD5:	1B5701D7F753135C22CC1AE694FFAF4B
SHA1:	966BDEF4159022FCC8740B6EB75B8D7AC4212504
SHA-256:	AEBA695175ED96D3EDE9FE30E486DF59C64A5FD802C15CB67F55E03A0537CD13
SHA-512:	4069B6AC1E51703687E0C17EA83527A258FF0C4BB4DC8051C96E5F98A7902C3301B89A5D2B55872711F85F528B0FB9BAEAF94E93B49B0A48BB8912E06A204EAC
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`..........................................................................................................................................wwww........................p..p........w...........p.w...p....x.....p.....pp........wx.............p....................q..............................................................................................wwww...............................................................................................................................o.....p.................o.....p..............................................................................wwww........................p.......................p.......................p.....p.................p......w................p.....ww`h..............p.....wwp.........p.....p....wwwwp..............p...wwwwwwp.....p...wwww....wwwwwwww.gp..............wwwwwwwww...............wwwwwwxwwp..............wwwwwwx.ww..............wwwwwwx.wwp...........

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\exclamation.ico

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	MS Windows icon resource - 2 icons, 48x48, 8 bits/pixel, 48x48, 32 bits/pixel
Category:	dropped
Size (bytes):	13430
Entropy (8bit):	4.339511276304085
Encrypted:	false
SSDEEP:	96:KYvlkFEXFYU2+yCvIFA13cJ/rrrrrpbEn5UnanjPRZfZy1wvI8:bVXuzd6IF0czwNPDZfI8
MD5:	93D722FA20A988A5C257A58BF155DC66
SHA1:	30C0D19F02CB39F8804DAFE6AF483A09C76E2338
SHA-256:	F587867EED0BEC33EF150F3A8525BDE9B6746C705543874E56653AA80EA53225
SHA-512:	BFB91739AE7432DD7D0A919F15B5B721E733675C3C2A4D5238C9955A6517DD4653042FA444F2D2627508908F6DA7DE0FBF22F37CF1A60476F59CBF254F62F736
Malicious:	false
Preview:	......00..........&...00.... ..%......(...0...`....................................-...<...I...L...P...S...S...T...G...@...K...V...W...Z...\...]..._...C..^...`...`...f...a...f..&e.."f..n..)v..3w..5v..2x..7\|..8}..<}..B}..._...e...k...a...m...p...t...r...z......5...M{..............,...0...+... ...,...<...?...<...:.......................................;.......-...!...-...................................................#...#...*...6...5...;...'.../...#...(...,...(...,...:...;...6...1...:...A...@...K...J...L...B...A...S...D...K...V...\...R...M...M...K...M...e...`...`...k...d...m...s...z...Y...e...}.......z...J...G...J...B...E...V..._...]...U...[...Y...Q...L...G...F...B...M...J...P...[...R...\...P...Z...b...i...e...b...l...f...u...~...b...k...g...m...c...s...z...5...<...C...J...N...T...Z...U...X...]...g...c...m...c...h...z...s...z...t...}...i...r...u...t...~.....................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\externalui.ico

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.036354960673055
Encrypted:	false
SSDEEP:	192:q4lYOUfhBJ1gqASunI8FoQaaJ+nkt0p1b+v:q4leXXArnI8FoVa4nP0
MD5:	235E54EB7ACEA02DC322F4065498165D
SHA1:	AD825997EC58A33A164B471FE3BD4B7C74614D9A
SHA-256:	B294EDF73CC936610CC81BCA6B95D1C7D6091595EC074C6B334ECA45D2DC354F
SHA-512:	5AC20371FD09E6A1F8C134FB24C045C36D835544D04E681FB6A51ADFF12A6BF8225C53D865B601EA5452024ABE7C02204A759B317D7410CF59F66ADFBE089D5C
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`........................................................................................................................................www................p..........................h.....p.........................................................................................................................p.......................p............................wwwwp..................wwwwwp..................wwwwwp..................wwwwwp..............p....wwww.................................................................wwwwwwwp....p........p.............wp.....................wwwp......p....wwwwwwp..wwwww.w.w...............wwwwww..................wwwwwwwp.....x..........wwwwwxww.....x..........wwwwwx.wp....x..........wwwwww.ww....x..........wwwwww.ww....x..........wwwwwwxwww...x..........wwwwwwwwwp...x..........wwwwwwwwwp...x............wwwwwwpp...x.........wp.......xp...x........x..........p...x...............wq..p...x.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\info

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	3.347251063198798
Encrypted:	false
SSDEEP:	192:+h7OMtMrJbDG0UDLHMrhmZ1galQpAAAAAAAAAAAS55qjOlr9n:+6g0uyi1ZQpAAAAAAAAAAASXqjOp9n
MD5:	8595D2A2D58310B448729E28649443D6
SHA1:	08C1DF6FBF692F21157B2276EB1988AC732FF93C
SHA-256:	27F13C4829994B214BB1A26EEF474DA67C521FD429536CB8421BA2F7C3E02B5F
SHA-512:	AE409B8F210067AC194875E8EBF6A04797DF64FA92874646957B2213FB4A4F7DA2427EF1ED8D35CD2832B2A065E050298BAC0FC99C2A81DE4A569A417C2A1037
Malicious:	false
Preview:	......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%.....................................................................................................................{...............................................................................................................................................................................................rqr............................................................................................................................................................................................rqr............................................................................................................................................................................................tst............................................................................................................................................................................}................yxy...................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\info.ico

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	MS Windows icon resource - 6 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel
Category:	dropped
Size (bytes):	22486
Entropy (8bit):	5.511908704029649
Encrypted:	false
SSDEEP:	192:0DT6aNn0CgAevbxezcSptuGH0BJ1cBYehJjbQypQ6X8rdb:/aNn0DAoN4c8HH031/QQ6XWZ
MD5:	FD535E63F539EACB3F11D03B52B39A80
SHA1:	A7F8C942E5672F2972C82210A38CC8861435F643
SHA-256:	0086BC01150989F553A0A4AE0E14926C6E247CEDDA312E1F946AE35D575742AB
SHA-512:	716EAB95B5535D54359D12C9786F5A53F9560126D2C48EB1A94DB5BD383363B43EA686AC421080564B54450DA35AF9CE3E11CECD485AAF27C0CEAEE7836F4518
Malicious:	false
Preview:	......00..........f... ......................h.......00.... ..%...... .... ......B........ .h...nS..(...0...`....................................B...C...D...F!..H#..I#..J%..L&..N)..Q+..S-..U/..V5..W1..Y3..Y4..[5..\7..]7..]9.._:.._<..c?..`9..c=..d>..d=..`@..eC..fB..gD..hA..iF..kF..lG..kN..kI..lJ..oK..nL..jC..lE..oG..qO..pH..rN..rM..tO..uO..sK..uM..wO..pT..sP..vW..w]..tQ..wT..yV..xQ..zQ..{U..zT..\|T..{Y..}Z..~Z..~X...\..}U..}d..[..^..^.._..W..Y..Y..[..]..\..]..]..].._..f..l..`..q..w..u..t..x..}..{...b..`..b..b..e..g..`..d..e..k..i..n..i..m..q..u..x.....z........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\lzmaextractor.dll

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22880
Entropy (8bit):	6.92037593808898
Encrypted:	false
SSDEEP:	384:mawk1/Nr4ErjZawvawljSJv62X2Ip4FmnqjdAA1m5wMvaSu7/n4M0Id:ma/F4wywlOJh2Ip4Eqxf1mlv2jnrd
MD5:	7751BEE42B08F9E12E304226B287BFDB
SHA1:	0113E391AC93385C2C043E49031BF331855E872F
SHA-256:	C717C8EDD7E1C4480FA1C0CDD4219D1FA8AC8A83748FA6104817CB12C6BC5B06
SHA-512:	AEEAD0D2FE111263B83B263EBABD3916A2FE51EC9721A4530B3FDD8A0CAA915C99779138BF49EA54A8F001E946F23A883D9F0D03BB45401F6E2A47C8BAE7F784
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Er9B$.jB$.jB$.j.V.kM$.jB$.jr$.j...kG$.j...kC$.j...jC$.jB$.jC$.j...kC$.jRichB$.j........PE..L......e.........."!...'............@........ ...............................`.......w....@E........................p".......$.......@..h...............`=...P..`....!..p............................................ ..X............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...h....@......................@..@.reloc..`....P......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\minbackground.jpg

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 760x100, components 3
Category:	dropped
Size (bytes):	15366
Entropy (8bit):	7.95557428882131
Encrypted:	false
SSDEEP:	384:ZsgYb2FNX3lLAvWkoFQVHunMJkaCxzpsEo9fDC79Vh4Vcj:ZsgYbuN3Gb/HunMJbWtl8rQ9ffj
MD5:	845B155C2F68096094B443873E5A6142
SHA1:	A1167CADC4ED424BFC9AABF61B3E0EDBE6FFC818
SHA-256:	70FFF5DC4ECCA73EF601BD78A67EAF0141079EBA11FC9659EC4C4A4AA5C78C9E
SHA-512:	60B9165D37600A5EB1563CA8C69579C2DEE8ECFAD8BF60580DEB7307607BDDE33BEBAA07C3E35D94366FDC4D403747049AA758D4096519836E11BF7CE0326040
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......U......Adobe.d.................................................................................................................................................d............................................................................................!1..AQ.aq."2.......B..Rr#3..b...CS$..s.%..T.....................!.1.Q.Aaq......"2..#...B.............?......=.u..[..7M.+v.p.H...6....:Y.........f.O...RK...)tH9...2D.....ZGI......P.QU..M....;1.W....\|J......\O......g.=W..n'......Y.7U.&..._.w..n..UW..k....Q...U^.6.Sa.w....U^..wSTy..L....W....y..)..z..qaq&.c.).gMR.X.&.c.)..C.......u.!....X....j..A..v...MF.D.h..Q....T.4.n..GC.f7H..S..,{.Lt.-..P.i0e./a..^I.&......~.u%d0...J..9..#....(~I.%d........&s].YB....)..,ah.H..b.sY.-..41.\|.4.o#Hm...L..U...x.h.[....vj.....Q.....]upp..Cn...Y2VA1@j8e..d.......n.N....[@.S..US&...$.{1FI0.x....s%i.!...W..,....cJ.......hI.``..P...n$.c..7....e..Q.]..4..I.%...cI..@..D\..iE...4..C..EV...v..&~OQ.a

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\remove.ico

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	MS Windows icon resource - 6 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel
Category:	dropped
Size (bytes):	22486
Entropy (8bit):	2.6933610069396567
Encrypted:	false
SSDEEP:	96:0d7HufRNsQX7BbcXwLTkML6wthhhhhhhhhhhhhhhh1iII4SLO27SUP4EhhhwhhJc:0d7ufRn7WgBiIIBC2bPWQRND4NiF+k
MD5:	32FFC45A2F138F87569590A81E9A5BEA
SHA1:	EF038F0C547BCC21160055787BAB9D9D1A652B89
SHA-256:	F6EAAE19C70288723E431749666B6CDB386AF40AEBA89F1FB8EC0D2766EC91C3
SHA-512:	89183BD1F7CC5431B22718C58D5387D1B06C2D31367CC912698248EC231A5EDDC9C52105C33D22F81233A47B75A06BCFC77918AB5735A5FD63960FB13C8E30C3
Malicious:	false
Preview:	......00..........f... ......................h.......00.... ..%...... .... ......B........ .h...nS..(...0...`.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\repair.ico

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.656471862600903
Encrypted:	false
SSDEEP:	192:+q2qe82nprAWkcWFW57oVht/k2VxomK0qHTk4TdrofvMxnVRYAn4vf:ej84ArgojFTVxoz0qHNTdr+vKVRYAIf
MD5:	4DBA3637F5FCEAADD2184BD8A0F0FB95
SHA1:	A858418C32F5D45F15AB01CAFC652B507DE2A42B
SHA-256:	C1AD1E78A112974326B44F75FE302723A4FC8AC1CCD96C9887403F6DDF8E607D
SHA-512:	DA105188273312DD1C79D90C2A1AE17ED584A70C14BCD662EAB3B7FC99D7A91B30957D965498E6FB397E01EA72ED3EA0AB8BDBB4313E68E8E45073B87E412E26
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`...............................................................................................................................................................wp...w............wx..ppw....ww..p.......w.....qx.......pp......w......q....x....p..................x....p................p.x....p..............p.x....p..............p.x....p..............p.x....p..............x.x....p................x....p...............w..x....p...............q..x....p.............p....w....p..................w....p..................w....p..........p.......w....p.......................p.................p..w..p....................w..p....................w..p................p...w..p................p...w..p...wp...........p.w.w..p...wv...........p.w.w..p..www............wx..p.p.wwwww.x....p........p.p.wwwwww.x..x.....w...p.p.wwwwwwwp.w........pww.p.wwwwwwwwwp..x..w..w...p.wwwwwww.ww...ww.x...p.p..wwwwww.wwp.....w..xp.p..wwwwww.www...........p

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\rtlothree_colors.jpg

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 760x17, components 3
Category:	dropped
Size (bytes):	3420
Entropy (8bit):	7.841479572759416
Encrypted:	false
SSDEEP:	96:Q6PKp1qGfXtGjelIs3Qj/y6+/yzyQguDYfE10JeOWMm+1Q:Q6PKpsetGsZQj/j+4jKE11OW+1Q
MD5:	A45540685353D14EB9B2344F556F672B
SHA1:	C540395FAFD4D23A5614B5A692080D3B07DEBCAB
SHA-256:	CE18FC834CEA0215B8BD6EB1C66586B4904FC7FCE758F6CBB1E9EB6FC004F338
SHA-512:	69DAFCD7BDCDF72E352EDFC67DF2C58FDEA22A6779702FB00670B90619DD0D673B8FB74E7047F7CB807AACEC08533A128DC437AFAB054C9FCB911D7C2779FCF3
Malicious:	false
Preview:	......Exif..II*.................Ducky.......U......Adobe.d...........................................................................................................................................................................................................................................!1.AQ.aq.."2.3.......B.#.R..r4........................!1AQ..a..."2...B............?.....}=...5....6..9....u]A@1....G.x.f.~...]i...VpKw....+[f.....q...i.4.M.;Kz..}=.-.....7B...............?...W..?C.........R........K...5...+JU,............^..Oik......dL..".x.q/ ..m.l.k.Z.e..j.L..=..&...K._Px.@h.w..X..[zV...}mk.ZL.....3-c. ....2...... .^...z............Q..E.A..d..h.......\...}6uV.3.....t...!.~.f......l.....J^z.G~.&...e....A.c.$...]PG.(hjF.S^+.].k~...<.[t..Qt2:.d...-..c\.e..y1M...m.....'.{.ei...`d....k...1....2.O.CA..&.'.>O..[...........i.M...>X..B..F..=.s.-...<.......N...6....[Z.943.f....NMr<E.W%I.ro..#..ro.....nj..6......b.F...k..U.B-bu.=.b..Bi........e<...U

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\three_colors.jpg

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 760x505, components 3
Category:	dropped
Size (bytes):	26619
Entropy (8bit):	7.547741155491426
Encrypted:	false
SSDEEP:	768:Zsra5o/C+tKDDPW4I++xCsuOlApLTEDjeEImcF:jaQD6DVCsBSpL0eEIFF
MD5:	718CAFA7E04A8D4D98116BCB4C377D7F
SHA1:	38A1EAC1E72997FFA9FB01BDE2540B18F046A3F5
SHA-256:	FBE48BA8AF8CC23A66906A1E94AC10D86CE91B86A18531CE1C96D6061387C2B5
SHA-512:	0FECEB6C7AC536B985198C63008668424DA51E628656706DE30E472DAEA49380F5D25187A268E8BF2E3740AAB6A8ED1171EC4E2C6A69699BAB7DB5B619CB36EB
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......U......Adobe.d.............................................................................................................................................................................................................................................!1..AQ.aq"....2....BR#....3..b...r..$...CS.....c....vX4.f'G8.......................!Q.1.A...aS..q.."2RC..B...3............?....um.\|:....o..H....e..W'...e."......X.o^.9{.<.sY.........nk;7.....K.S.W....;...$..3Sk..6w[._...k..Y....n......t...Gk....^.k..t...Sg..U..,...v.Y..lw7p....M...v{....<O...^.d{[..0.?{5..I......>y...#..]m$.ztz.)6..z.z.'-K.=:.m.O....W...X&.Ez.8.+q....u..b.=...].m..>.5...8?...k.....(...p.r.=.[H6...6...M.aG....h....\|.I^m.ee9.....e../ccf)-*.....}.LjQP.....m..Y.aW.5+...y.[...k.y..-......:.......p....v..{..m.6.:..bt..-..1JR^..7.\6.CmbR..8.es....&.O......"...sle}].{tU../...iVg)]. ..&Gm.,0.GM.....Kp.km.q..M.g....j.....C.[.DK...U..8BQk....Te...v......a.EJ..

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\typical.ico

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	4.926016576393048
Encrypted:	false
SSDEEP:	192:entnoFoTahmFxRYq7mE25b6K0FHQHVd4oXb2zwNf3i4ij:enWuPFxt785T0FHQHgo2wNf3oj
MD5:	EB3F9054BB5F95ED6B10EC4E16A026BE
SHA1:	35760271A03029996BDA26D5D596CFCC465E3EA9
SHA-256:	E330FA8030AA0465B02880133ADDBA0A8C6011B511F6968B413BF45516F7275E
SHA-512:	B0A96DA5514A9B8E9FA182A294694299388A854245AEC01E835B1108D568F9F1158917D9792BC852568EC56C2ED5E54F9E630E02D1EC79A281E2B28A67167A51
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`.........................................................................................................................................................................p........w.............w...p....x.....p...............wx....................................................................................................................................................................................................................................................................o.....p.................o.....p................................................................................................................................................................p........................w......................ww`h....................wwp.........p..........wwwwp..................wwwwwwp.....p...........wwwwwwww.gp..............wwwwwwwww...............wwwwwwxwwp..............wwwwwwx.ww..............wwwwwwx.wwp...........

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\white.jpg

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 493x312, components 3
Category:	dropped
Size (bytes):	1232
Entropy (8bit):	1.290282383283862
Encrypted:	false
SSDEEP:	3:nSullBbsRllAqp/y4FKKn5bbeWfa5QpUolHmBkDt0+EtZtE//Wmst18n:3llxqQ8AfQRGSDt0RZty/Wmsw
MD5:	57D130DDF327FCC5DA636A6AB4D7C112
SHA1:	D674F332D4F79C70D4A97BFD9E504A8F3A2C26B6
SHA-256:	990EAB9FAAAE9F78201EF00A72F7B59773EED2B2FC9EC72250C67F376EE0500F
SHA-512:	E2F2141973CD9B7B52347EBCC89E89FDDEAA5B9721011C2CD7B2F2EAE434EF0F10D02537EB0F1AD6276FA182147AE935277EF9BBE31960EE2D82437C0741D39D
Malicious:	false
Preview:	......JFIF.....d.d......Ducky..............Adobe.d.............).)A&&AB///BG?>>?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG..))4&4?((?G?5?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG......8...."..........K.....................................................................................?..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7304\whitesmall.jpg

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 446x92, components 3
Category:	dropped
Size (bytes):	554
Entropy (8bit):	2.356721207995078
Encrypted:	false
SSDEEP:	3:nSullBbsRllAqp/y4FKKn5bbeWfa5QpUolG5PkDt0+EtZtE//WmstN8n:3llxqQ8AfQRG5cDt0RZty/WmsY
MD5:	4429F170056663EFD1486395E8EB0AF6
SHA1:	AE9B01A44C8EE5AE7146F0523E512EE32DC284AD
SHA-256:	FFE2980D90152EF603555A735B7CBA1917C99BB67061B44D6AC6F12E6384BDD9
SHA-512:	719F4E55944502F7D472F362DD0D1D09649FBAEC0515701C9C84BBB3F32B06CC29E4A4C55022BC034CBC68C9C151A90018A926D1A08B4D5048F117950E9135E9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky..............Adobe.d.............).)A&&AB///BG?>>?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG..))4&4?((?G?5?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG......\...."..........K.....................................................................................?................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\INA4807.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1145696
Entropy (8bit):	6.517876267164052
Encrypted:	false
SSDEEP:	24576:+oY9D/tCubZoXth0lhSMXl+lZu51SDcf81Y8AnwjzfN:CBRloXEul05gDcf81Y8AnwjzfN
MD5:	BD9A5B67A4125207CB64929B2CCB7E00
SHA1:	0704C904E63000F7A63527C10D722E0D2D32520D
SHA-256:	8FDD323EB0E35B9FCA823435E8D760F5263FFFEFAA2A3E853FE6CD4925B2249C
SHA-512:	9D5A159A0095EE765F2C5220DF0EB4E0C574F4A0ABDC2D23F0169518B3C5242B486F86A597F61A096BB0FFA99F95D8E025A3B824D55543F69FDF7D98001BEF71
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e...............v.......v......................A....v.......v.......v..........!......I...........'.......O............Rich....................PE..L......e.........."!...'.^...................p............................................@A.........................................................>..`=...0...B.....p...........................0...@............p..4............................text....\.......^.................. ..`.rdata..z....p.......b..............@..@.data...d.... ......................@....rsrc...............................@..@.reloc...B...0...D..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI48E4.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616049802032926
Encrypted:	false
SSDEEP:	12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
MD5:	D4423CDEA4650917773B680EB52F9A32
SHA1:	B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
SHA-256:	12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
SHA-512:	B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI4943.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616049802032926
Encrypted:	false
SSDEEP:	12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
MD5:	D4423CDEA4650917773B680EB52F9A32
SHA1:	B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
SHA-256:	12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
SHA-512:	B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI4982.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616049802032926
Encrypted:	false
SSDEEP:	12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
MD5:	D4423CDEA4650917773B680EB52F9A32
SHA1:	B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
SHA-256:	12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
SHA-512:	B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI49D2.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1178464
Entropy (8bit):	6.458242650271239
Encrypted:	false
SSDEEP:	24576:MPNeES6xH6me4EmTeixI7KvGYRnY4eWmsmqFZ7WKZ5EQbhpP9gY0dB0lAwvI/oA:MlPjgzixI+vGYRnAWNTWw5EQbhpP9gYG
MD5:	8161F0819B3ED52B1C5407E248311123
SHA1:	5A0CEAA53740DFD00EF126A9BC947EE632013493
SHA-256:	D3522415D0BCC4556B79869E3AE0E240133616544651FAE1D1D74C5C50841411
SHA-512:	02A4E95B250D9E87FB5B5CB4E003E67B34F6F4ADE649C0EFABDDCAD88645318CADFABBB433EE8DE1A8D9DA07E1BF783A335B0C0A1D143D7F2887BA61C0E2464A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.x'..x'..x'.T.$..x'.T.".2x'.E.#..x'.E.$..x'.E."..x'.T.#..x'.T.&..x'..x&..y'.w....x'.w.'..x'.w...x'..x...x'.w.%..x'.Rich.x'.........PE..L...q..e.........."!...'.@...........M.......P............................................@A.........................m..t...dn..........................`=......`c......p........................... ...@............P..8............................text....?.......@.................. ..`.rdata..X0...P...2...D..............@..@.data................v..............@....rsrc................T..............@..@.reloc..`c.......d...Z..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI54B0.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616049802032926
Encrypted:	false
SSDEEP:	12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
MD5:	D4423CDEA4650917773B680EB52F9A32
SHA1:	B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
SHA-256:	12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
SHA-512:	B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI54EF.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616049802032926
Encrypted:	false
SSDEEP:	12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
MD5:	D4423CDEA4650917773B680EB52F9A32
SHA1:	B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
SHA-256:	12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
SHA-512:	B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI551F.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616049802032926
Encrypted:	false
SSDEEP:	12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
MD5:	D4423CDEA4650917773B680EB52F9A32
SHA1:	B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
SHA-256:	12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
SHA-512:	B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI554F.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616049802032926
Encrypted:	false
SSDEEP:	12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
MD5:	D4423CDEA4650917773B680EB52F9A32
SHA1:	B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
SHA-256:	12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
SHA-512:	B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI559E.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616049802032926
Encrypted:	false
SSDEEP:	12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
MD5:	D4423CDEA4650917773B680EB52F9A32
SHA1:	B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
SHA-256:	12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
SHA-512:	B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI55ED.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1145696
Entropy (8bit):	6.517876267164052
Encrypted:	false
SSDEEP:	24576:+oY9D/tCubZoXth0lhSMXl+lZu51SDcf81Y8AnwjzfN:CBRloXEul05gDcf81Y8AnwjzfN
MD5:	BD9A5B67A4125207CB64929B2CCB7E00
SHA1:	0704C904E63000F7A63527C10D722E0D2D32520D
SHA-256:	8FDD323EB0E35B9FCA823435E8D760F5263FFFEFAA2A3E853FE6CD4925B2249C
SHA-512:	9D5A159A0095EE765F2C5220DF0EB4E0C574F4A0ABDC2D23F0169518B3C5242B486F86A597F61A096BB0FFA99F95D8E025A3B824D55543F69FDF7D98001BEF71
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e...............v.......v......................A....v.......v.......v..........!......I...........'.......O............Rich....................PE..L......e.........."!...'.^...................p............................................@A.........................................................>..`=...0...B.....p...........................0...@............p..4............................text....\.......^.................. ..`.rdata..z....p.......b..............@..@.data...d.... ......................@....rsrc...............................@..@.reloc...B...0...D..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI563C.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1178464
Entropy (8bit):	6.458242650271239
Encrypted:	false
SSDEEP:	24576:MPNeES6xH6me4EmTeixI7KvGYRnY4eWmsmqFZ7WKZ5EQbhpP9gY0dB0lAwvI/oA:MlPjgzixI+vGYRnAWNTWw5EQbhpP9gYG
MD5:	8161F0819B3ED52B1C5407E248311123
SHA1:	5A0CEAA53740DFD00EF126A9BC947EE632013493
SHA-256:	D3522415D0BCC4556B79869E3AE0E240133616544651FAE1D1D74C5C50841411
SHA-512:	02A4E95B250D9E87FB5B5CB4E003E67B34F6F4ADE649C0EFABDDCAD88645318CADFABBB433EE8DE1A8D9DA07E1BF783A335B0C0A1D143D7F2887BA61C0E2464A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.x'..x'..x'.T.$..x'.T.".2x'.E.#..x'.E.$..x'.E."..x'.T.#..x'.T.&..x'..x&..y'.w....x'.w.'..x'.w...x'..x...x'.w.%..x'.Rich.x'.........PE..L...q..e.........."!...'.@...........M.......P............................................@A.........................m..t...dn..........................`=......`c......p........................... ...@............P..8............................text....?.......@.................. ..`.rdata..X0...P...2...D..............@..@.data................v..............@....rsrc................T..............@..@.reloc..`c.......d...Z..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI606F.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616049802032926
Encrypted:	false
SSDEEP:	12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
MD5:	D4423CDEA4650917773B680EB52F9A32
SHA1:	B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
SHA-256:	12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
SHA-512:	B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI609F.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1145696
Entropy (8bit):	6.517876267164052
Encrypted:	false
SSDEEP:	24576:+oY9D/tCubZoXth0lhSMXl+lZu51SDcf81Y8AnwjzfN:CBRloXEul05gDcf81Y8AnwjzfN
MD5:	BD9A5B67A4125207CB64929B2CCB7E00
SHA1:	0704C904E63000F7A63527C10D722E0D2D32520D
SHA-256:	8FDD323EB0E35B9FCA823435E8D760F5263FFFEFAA2A3E853FE6CD4925B2249C
SHA-512:	9D5A159A0095EE765F2C5220DF0EB4E0C574F4A0ABDC2D23F0169518B3C5242B486F86A597F61A096BB0FFA99F95D8E025A3B824D55543F69FDF7D98001BEF71
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e...............v.......v......................A....v.......v.......v..........!......I...........'.......O............Rich....................PE..L......e.........."!...'.^...................p............................................@A.........................................................>..`=...0...B.....p...........................0...@............p..4............................text....\.......^.................. ..`.rdata..z....p.......b..............@..@.data...d.... ......................@....rsrc...............................@..@.reloc...B...0...D..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSID497.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616049802032926
Encrypted:	false
SSDEEP:	12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
MD5:	D4423CDEA4650917773B680EB52F9A32
SHA1:	B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
SHA-256:	12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
SHA-512:	B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSID4B7.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616049802032926
Encrypted:	false
SSDEEP:	12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
MD5:	D4423CDEA4650917773B680EB52F9A32
SHA1:	B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
SHA-256:	12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
SHA-512:	B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shi4857.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5038592
Entropy (8bit):	6.043058205786219
Encrypted:	false
SSDEEP:	49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
MD5:	11F7419009AF2874C4B0E4505D185D79
SHA1:	451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
SHA-256:	AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
SHA-512:	1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L......N.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shiD529.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4509696
Entropy (8bit):	6.100941182830929
Encrypted:	false
SSDEEP:	49152:jm+XAVAMPLfOyim8iTRxYUOQSfLTZZZ2y38lb7Cjn3mboy4+MT7ujWx/Tl0ng48e:CzVAwiKTOpfLTDQyaNoy787ujWx/TlR
MD5:	F6153E803F1533042AC7E6988237C2C3
SHA1:	DDA81BB8BC8CC14877C9CB9B7C664DEFD81EBB4F
SHA-256:	F42A771D310C762C05A5BE3DE0CFDB9BEC28D3DFCCAEF800C901F551A0DF30ED
SHA-512:	7AE76A4CB58A9929C09B1D6376073268622C74B1E3F0C346AFA7A7829E2EF136CCF091F58CCA28BFE83C665573C23D9DB6AF51A44275DA0CC2CF8C1306ADDBAC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._.._.._..V.X.=..K..S..K..X..K..W.._.....K..^..K..-..K..D..K.4.^..K..^..Rich_..........................PE..L....+.X...........!.....dA.........P.3.......A....c.........................@E.......E...@A.........................i@.K&..L.A.......B.H.....................D..-......T....................O...... .................A.H....C@......................text.....@.......@................. ..`.wpp_sf.......@.......@............. ..`.data....6....A......hA.............@....idata...1....A..2...nA.............@..@.didat..4.....B.......A.............@....rsrc...H.....B.......A.............@..@.reloc...-....D.......C.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shiD598.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83128
Entropy (8bit):	6.654653670108596
Encrypted:	false
SSDEEP:	1536:0jIdYoF2CwmzOVStYMAuNWrmaTk++ouMOczT0ud4x41xmPS:0jRoFZwmr+bDk/MOcv0G4sxm
MD5:	125B0F6BF378358E4F9C837FF6682D94
SHA1:	8715BEB626E0F4BD79A14819CC0F90B81A2E58AD
SHA-256:	E99EAB3C75989B519F7F828373042701329ACBD8CEADF4F3FF390F346AC76193
SHA-512:	B63BB6BFDA70D42472868B5A1D3951CF9B2E00A7FADB08C1F599151A1801A19F5A75CFC3ACE94C952CFD284EB261C7D6F11BE0EBBCAA701B75036D3A6B442DB2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.T...:...:...:.....&.:...9...:...;...:...;...:...:...:...4...:...?...:......:...>...:......:...8...:.Rich..:.................PE..L...Y.............!.........H.......n..............................................;.....@A........................P........B.......`............... ...$...p..........T............................................@...............................text.../........................... ..`.data....!..........................@....idata..H....@......................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shiE18F.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4509696
Entropy (8bit):	6.100941182830929
Encrypted:	false
SSDEEP:	49152:jm+XAVAMPLfOyim8iTRxYUOQSfLTZZZ2y38lb7Cjn3mboy4+MT7ujWx/Tl0ng48e:CzVAwiKTOpfLTDQyaNoy787ujWx/TlR
MD5:	F6153E803F1533042AC7E6988237C2C3
SHA1:	DDA81BB8BC8CC14877C9CB9B7C664DEFD81EBB4F
SHA-256:	F42A771D310C762C05A5BE3DE0CFDB9BEC28D3DFCCAEF800C901F551A0DF30ED
SHA-512:	7AE76A4CB58A9929C09B1D6376073268622C74B1E3F0C346AFA7A7829E2EF136CCF091F58CCA28BFE83C665573C23D9DB6AF51A44275DA0CC2CF8C1306ADDBAC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._.._.._..V.X.=..K..S..K..X..K..W.._.....K..^..K..-..K..D..K.4.^..K..^..Rich_..........................PE..L....+.X...........!.....dA.........P.3.......A....c.........................@E.......E...@A.........................i@.K&..L.A.......B.H.....................D..-......T....................O...... .................A.H....C@......................text.....@.......@................. ..`.wpp_sf.......@.......@............. ..`.data....6....A......hA.............@....idata...1....A..2...nA.............@..@.didat..4.....B.......A.............@....rsrc...H.....B.......A.............@..@.reloc...-....D.......C.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shiE1FD.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83128
Entropy (8bit):	6.654653670108596
Encrypted:	false
SSDEEP:	1536:0jIdYoF2CwmzOVStYMAuNWrmaTk++ouMOczT0ud4x41xmPS:0jRoFZwmr+bDk/MOcv0G4sxm
MD5:	125B0F6BF378358E4F9C837FF6682D94
SHA1:	8715BEB626E0F4BD79A14819CC0F90B81A2E58AD
SHA-256:	E99EAB3C75989B519F7F828373042701329ACBD8CEADF4F3FF390F346AC76193
SHA-512:	B63BB6BFDA70D42472868B5A1D3951CF9B2E00A7FADB08C1F599151A1801A19F5A75CFC3ACE94C952CFD284EB261C7D6F11BE0EBBCAA701B75036D3A6B442DB2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.T...:...:...:.....&.:...9...:...;...:...;...:...:...:...4...:...?...:......:...>...:......:...8...:.Rich..:.................PE..L...Y.............!.........H.......n..............................................;.....@A........................P........B.......`............... ...$...p..........T............................................@...............................text.../........................... ..`.data....!..........................@....idata..H....@......................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shiF13D.tmp

Download File

Process:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5038592
Entropy (8bit):	6.043058205786219
Encrypted:	false
SSDEEP:	49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
MD5:	11F7419009AF2874C4B0E4505D185D79
SHA1:	451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
SHA-256:	AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
SHA-512:	1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L......N.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\7z.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1390312
Entropy (8bit):	6.599443687044708
Encrypted:	false
SSDEEP:	24576:w4wwwwscgymwef8Z8Zzj6z1el68mUi1m/ONxdDDHNCU+3kvaBW7839l5Qafgb6L1:pwwwwscgymwefyEQ/U6/NnDDHNCTeaBf
MD5:	292575B19C7E7DB6F1DBC8E4D6FDFEDB
SHA1:	7DBCD6D0483ADB804ADE8B2D23748A3E69197A5B
SHA-256:	9036B502B65379D0FE2C3204D6954E2BB322427EDEEFAB85ECF8E98019CBC590
SHA-512:	D4AF90688D412BD497B8885E154EE428AF66119D62FAF73D90ADFFC3EEF086CF3A25B0380EC6FDC8A3D2F7C7048050EF57FCEA33229A615C5DCDA8B7022FA237
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0...0...0...9a.=...9c.I...9b.(...b......b.. ...b..&...9...1...9...7...0........4................1....o.1.....1...Rich0...........PE..L....x.c...........!.........~......x7...............................................~....@.........................P...\|......P....p.................P,..........0...............................P...@............................................text............................... ..`.rdata..............................@..@.data...0........4..................@....rsrc.......p......................@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\APKwait.bat

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	34
Entropy (8bit):	4.231009444816111
Encrypted:	false
SSDEEP:	3:mKDDGMLCyLuVFOZh9n:hSKfLuVFOZz
MD5:	326F18673467B34662A43E1B7588C82D
SHA1:	A9E584530B851E014BB475FEBE51474D7E41278E
SHA-256:	4693C9628F2CFC8C789225B984CCEA576D665D6792B3CA265EF0B5D27127CAF2
SHA-512:	56B39C93DE447F73BB94F6A0EECA1E20B318CDA3CC5B5ABE14BCB0C8E6F0A066AF98D8C6DDF42A1E4B57E82747142663FAA5554E5F941E2B90C38D4C105ABC9F
Malicious:	false
Preview:	@echo off..ping -n 10 127.1 >nul..

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\APXhttp.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57504
Entropy (8bit):	6.908600489842891
Encrypted:	false
SSDEEP:	1536:5wQ0j2HOip0EdcP2dWDWoviK2SVb41Pxc73LPxA:5VOqd+vi3Sb0xcDTx
MD5:	02948F19A0488CED88F4806C959EF24F
SHA1:	D47C1439309BEF82C1CA0A623D1CBC70C259B935
SHA-256:	712B2845697459CCDF6E71BAE7FF3B423254A91EB5C85B02551B2AD2A4112EE3
SHA-512:	681182CBB8E55C0008F4D2B6141B507F51C98050F014A66D256A5252E24F8DD2AC8559D71F0F01953830DBBF840F07C57A7E520274180B5AE35329D447AA8675
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L..-.-.-..X.-.U].-..X.-.Ub..-..X...-..X...-..X.-..\.-.-..-..X...-..X.-..X...-..X.-.Rich.-.................PE..L.....tc...........!.....R...:......@........p............................................@A................................l...........H................R..............T...........................p...@............p..h............................text...MQ.......R.................. ..`.rdata...$...p...&...V..............@..@.data................\|..............@....rsrc...H............~..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\APXmodule-2.0.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	37024
Entropy (8bit):	7.054557610794306
Encrypted:	false
SSDEEP:	768:dBdwySZ+f1RGV4NhzM8EJPxm5Yi3fPxWEf:dLtf1c4b41Pxo73fPx
MD5:	F6C740A06CF69CB38527B746C1B5C90D
SHA1:	6EE733F791DE76AE9B6EDA05F4514BBAC3D17749
SHA-256:	29B7F57469745537CABAAB229BFB9FC2084CC7BEF14EEFE734C2C3A6EBF02F48
SHA-512:	01FBCAB3ED927082F60F96E0EA6647540F333FD2CB85E6E108D5FD0FAF358C809098B2CC0F8C50CB8BEA37FA81AADF31D21DF3F043B91E71F5D330E1407086A2
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........gZ........................................................t......%..............t.......t.......t...............t.......Rich............................PE..L...K..a...........!......... .......!.......0............................................@A.........................8..L....9.......`..8............>...R...p..l....3..p...........................(4..@............0...............................text...d........................... ..`.rdata.......0....... ..............@..@.data........P.......2..............@....rsrc...8....`.......4..............@..@.reloc..l....p.......:..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\ATellPhon

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	2.091917186688699
Encrypted:	false
SSDEEP:	3:WlWUqn:idqn
MD5:	EAD3D4CBA62CAD943DCA9FA88139D258
SHA1:	244E3C37AB41854F5B221653AC42CF26A4FAA97D
SHA-256:	74228703D2D0DCF060D50F1046EDB9D7273D901E50B728AFD50A4D42BE752674
SHA-512:	7ED4C73369A9E1C7CABABD6BB9E04674FC6E1D0C7FB40F46A129B94BFF895F9C65413A4875BBCEC91F4DDDC9B3CF7FBB344CDC87CC9E636DC6843775204F413B
Malicious:	false
Preview:	MZ..............

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Agent

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.761658988442702
Encrypted:	false
SSDEEP:	384:ovAw66vILDbNRhbHeJh8+oXBjxJd5IyYQGSbdkDjkoebjDISVjNW8SCW0:ovAOQbSEln5IyYpamDjobj8ShSA
MD5:	A5DD94434C702493D4577E966134B303
SHA1:	6BFAEB811189C41521802A11E0836237CD169395
SHA-256:	A26F4219815C297C705060B77595EF76E35E9E2BEDBEB5AFB3357CDC5BA2717F
SHA-512:	C5A44A9D526C2D494FCDCD765BAF7A765E53838F53A65DF1D1CE4114FCB1186296A8FAEBEE4BD0A39A41C9E96AA3B3484E07D86FBD117BE7915610EB4EF5CF77
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.q.u...u...u.......t...u...X.....B.~.....A.t.....@.s.....E.t...Richu...................PE..L....R.H.....................h...............0.......................................b..........................................x....@...d..........................................................8...@...H...\|....................................text...j........................... ..`.data...8....0......................@....rsrc....d...@...f..................@..@l..H8.....HC.....HP......HZ......Hd......Ho...........msvcrt.dll.KERNEL32.dll.NTDLL.DLL.GDI32.dll.USER32.dll.IMAGEHLP.dll.....................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\BBC.exe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	710888
Entropy (8bit):	6.630506217753263
Encrypted:	false
SSDEEP:	12288:6BMGnPEAEuRNz2HuiEJe0z6h5KEuEVv4D1wEM50+OD2evinKqcQUuWnI8:6BMGnPEAEyXiEw0xXD2evincvFnn
MD5:	FAE7D0A530279838C8A5731B086A081B
SHA1:	6EE61EA6E44BC43A9ED78B0D92F0DBE2C91FC48B
SHA-256:	EEA393BC31AE7A7DA3DBA99A60D8C3FFCCBC5B9063CC2A70111DE5A6C7113439
SHA-512:	E75C8592137EDD3B74B6D8388A446D5D2739559B707C9F3DB0C78E5C30312F9FCCD9BBB727B7334114E8EDCBB2418BDC3B4C00A3A634AF339C9D4156C47314B4
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........f..............U.......U..B....U....................................................c.......c.......c.......c.......c.......Rich............................PE..L.....]d.................n...8......dB............@.......................................@.....................................d.......................P,.......g..pL..T............................L..@...............(............................text...Hl.......n.................. ..`.rdata...............r..............@..@.data...4R...0......................@....rsrc................:..............@..@.reloc...g.......h...B..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Blend.visualelementsmanifest.xml

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	310
Entropy (8bit):	5.218991813797138
Encrypted:	false
SSDEEP:	6:ejHyaVic4subiKFNFWod/OjpFFHDhkQwY7HmXXKmJpkQwYEn0gCYEnP9FN:eF8iK9WW/OjrF4CA/cX0vXDN
MD5:	B3D5B8ADD818034C991FE15C13E0B055
SHA1:	3FBFBECC2C10DE459586B3B39D2F7CB45289C8B1
SHA-256:	79F8A190196CC5B79B99A07991A34B2E5AA25989FC22121B6C17B80F4772801E
SHA-512:	3C3E233072D9F4F94DDF2AF992339F43755DE9BC4F136BC6CC2EB1255B55C97D86495B8AF415C6880D62D8904D9E2EE61B427CA13FAB08492D4341F1D2E86E0D
Malicious:	false
Preview:	<Application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <VisualElements.. BackgroundColor="#2D2D30".. ShowNameOnSquare150x150Logo="on".. ForegroundText="light".. Square150x150Logo="Assets\Blend.150x150.png".. Square70x70Logo="Assets\Blend.70x70.png" />..</Application>..

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Browser_1

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	3.827554659468926
Encrypted:	false
SSDEEP:	3:Ol/QfkTsfIedYRXY:OlTT2dYRI
MD5:	F1B791B8D42F4D4B5794E254F7A86BD1
SHA1:	20B839C9257D51F28C7814C99922DBCD1A1EE248
SHA-256:	174423E75513994F0205EB2D874583D791C17A391B1DD97FBCE3CAD7E7FCAE61
SHA-512:	924CA93F18CB19C2F138E9DCFA21C0E90473EC2FFBAA3AC208A26ED9944FB0FCAEDFCCAC7138A5A825EED3B4FB033653BEE4BC2F79CD9D5084156A0D9D685407
Malicious:	false
Preview:	{491EB955-8A31-4381-BA1F-FDA4C60415A4}

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Bseziof

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	COM executable for DOS
Category:	dropped
Size (bytes):	129008
Entropy (8bit):	7.827316426792684
Encrypted:	false
SSDEEP:	3072:vRZzFCwH6WrKxTtcZaUMueR2ZGCApbu7n31bsj9y:pZBC66WrKDcMxR24rpbu71g
MD5:	D76420DC56BE74361FF5053D87A752A7
SHA1:	E4E95C6D322FA5007F045F969A507A79DBA24A18
SHA-256:	CAA76B91F5ED0D10ADD3F757B7412822795013547AB286906D9F3740C0501A32
SHA-512:	C96654CB012F883037DC11478256779A4859C1A8D158D53430CE83040BAA327F0B060D52A6B8C7832F6497D3F7FABEF47EB4E33C841CBB90EA5373D7263398CB
Malicious:	false
Preview:	........@...............................................!..L.!This program cannot be run in DOS mode....$........\..I=.I=.I=.2!.H=..2..K=..!.K=.&".K=..".K=..2..R=.I=..=.....=.I=.H=..".J=.RichI=.........PE..L.....*g............................0.............@.................................................................................................................................................................................................UPX0....................................UPX1................................@...UPX2................................@..............................................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.....D;..t.f8k..$...

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\DataTransform.ini

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	Generic INItialization configuration [Userddress]
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.67841607960707
Encrypted:	false
SSDEEP:	6:OZPixNiKRSVWTQlY2LXmwPxhb4eR8iiLrAmXOtAvHPzT3U6g:OZaRRXQNLXmwPxhb4e7iLkmXOtqL72
MD5:	5DB5802855390316509312EA98913E3F
SHA1:	941E2FB957A5160AAD5BCBB69D4D8EEB1E679679
SHA-256:	16BA11467408450A06C599D7AFC8D3FF383EF6FC06E0FAF028CC71DCF71EB980
SHA-512:	B048090B41CE724D3F09BA82B70606F553658990F007BDB93BE41D0178DA81B210956D815EDE31319C35E86EF74CC5B0DCA69F113D066B16745DE6B7583C3E98
Malicious:	false
Preview:	[Data]..Type=UMnwio9zv2FqxxUVMR0jWJnXhzGyjuwdGhyjE7NmuwPzPTn2oWYbUgHhroi6QH..[Userddress]..Data=ya4feBPz9quDWubPmy1BrWBrJ2epxBFxdZ2u51ne4Q6dcjTemYgPRQMGN5akXwRqkmPKRMc5ptX1Mccd9HRaBLKEd0AntxumwTZx..[DataTransform_CreateZlibCompressor]..Dictionary_Rekey=A.exe..[ctrl]..ctr=SearchRun.exe..[Desktop]..Desktop=rar.exe

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\EduWebContainer.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	12840
Entropy (8bit):	7.986702439437666
Encrypted:	false
SSDEEP:	192:/ZrfidU1vKpUcMlqiP66dS2qu9wl2apxWama5IWmciIplqLngTmfqDnoKax5eq3m:Jfim1C4lqiP1dxWZZGciI62oROzl
MD5:	11F506F266C236A58D62D0F466A537AD
SHA1:	F948F8013782A3AA3F5D7BCAD62E8CC63146007C
SHA-256:	958BF016A726EDF619062E3C56CE54E6E46C9982912EB92081A2B91B2B5E50B0
SHA-512:	5E5C636D05B8D4B3F880243B001FF8CB32EC1883D86F55F78CA65CD92BA3B9BF52A84BB75CA9F98FFA423ECF683EFA22F2B584FE0B9B6C104A7EE1C145B81634
Malicious:	false
Preview:	...Y{.B....&...oy.}..F{...z..H'..."..x...... .(_.L./.5.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n....&>..../.f.]..u...(]...M..$.#tl{.L.R...Nx.....J..2...h.e!Z=.r.Y.._.U..s..v.T.4.JQx2.._F3.+........j...V..-c\|vO.%r......d../.g.}b..!..<K.1#...OeU. ;!N..n..G..k..N...).y`~!.....Z'.d..$...-.r..z...v......>>m.... >28..{..-.l......Nv..x..#m........l.1.8..$_.......\..m........x.]f..C..Y/.(qGC.3..N.`.!(..m.C...=.<.../.P:.Zf^.dm...+.3..V.....^.D.......[K.$...E.....E.b.~.:....=Xz\..J.....uG.LWA.`p...N.ze.P.R.......U.>...{p^...;A.Rj......L.......Dcx/@}-....... .~....2'...m..>....@.`..8Km.X.N..rs....r.Z..g..h......P.~.."v.7...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W...h..!..,.q .Q.w./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	174304
Entropy (8bit):	6.858552596804119
Encrypted:	false
SSDEEP:	3072:Q0HJ5wo1/MJjozYJimE2BamDKigu/fgl1glfdjgBftJeCE5vLEnM7QrRz:/J5wUmhkmDKVuE1gQJeCERLG1F
MD5:	0D318144BD23BA1A72CC06FE19CB3F0C
SHA1:	91A270D8E872EA2A185309CA9CE5D9F08047809E
SHA-256:	60503684F39425C5505805A282EB010ECB8148BBF7EFE9BBA9CF33C507AF7F3A
SHA-512:	A3F3C7D84644B13868AC324947C2D678620E341E368B781D45F244A53F448D6B24BE7B50AC9908728DFBBB74214FCB46902137910E907F14F601518C0EFD215B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.A...A...A...,...H...,...;...,...Y...z...S...z...S...z...d...,...D...A...........C.......@...A...@.......@...RichA...........PE..L...V.]d.............................#............@.................................Z.....@.................................48..<....p..0............`...H...........*..T............................+..@...............$............................text............................... ..`.rdata...^.......`..................@..@.data........@.......2..............@....gfids.......`.......<..............@..@.rsrc...0....p.......>..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\CIM_ResourceAllocationSettingData.xsd

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (342), with CRLF, CR line terminators
Category:	dropped
Size (bytes):	8108
Entropy (8bit):	4.965236708426262
Encrypted:	false
SSDEEP:	192:MuZUkwsSwZhuV3wM3DwuMu93wv3Dwui4Cya:MuZUkwsSwZhuV3wM3DwuMu93wv3Dwui/
MD5:	A77B71F6E5FE1F50065AC8A15796AFEB
SHA1:	80A83A247FFD47529419873B32E02852B75D47AF
SHA-256:	D02D5181E13AA96B67AB75F51C03AB1F1286F7A28FD92ACA3021E4E694A4E2E8
SHA-512:	E5502B347C545C4460ABDA78242B238D83AB4645F0495D933B4C419CB4872520915E13C8A6F5137B260B000C690145A8139A7FF47286BC9875531F74167B50A8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>... Generated by WBEM Solutions, Inc. SDKPro 3.0.0-->...<xs:schema xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:class="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData">...<xs:import namespace="http://schemas.dmtf.org/wbem/wscim/1/common" schemaLocation="common.xsd"/>...<xs:element name="ResourceType" nillable="true">...<xs:complexType>...<xs:simpleContent>...<xs:restriction base="cim:cimAnySimpleType">...<xs:simpleType>...<xs:union>...<xs:simpleType>...<xs:restriction base="xs:unsignedShort">...<xs:enumeration value="1"/>...<xs:enumeration value="2"/>...<xs:enumeration value="3"/>...<xs:enumeration value="4"/>...<xs:enumeration value="5"/>...<xs:enumeration value="6"/>...<xs:enumeration value="7"/>...<xs:enumeration val

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\CIM_VirtualSystemSettingData.xsd

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (332), with CRLF, CR line terminators
Category:	dropped
Size (bytes):	5951
Entropy (8bit):	4.95379352101584
Encrypted:	false
SSDEEP:	96:IHpusmyEYtpusmyEcpusmyEf6dEvrgeUKMvLm0n/:4usm0zusm+usmLtVUKmLma
MD5:	8737313A1CD47D1BD415F4CD7C8D5A35
SHA1:	C3FE8ED373DD8807DC56B8ACD807A01163BA1945
SHA-256:	190C096159A5286655707E1141EEFFCE86484AC48DE4F54CBA4CD44C59868CDB
SHA-512:	C3090FC492DC1C875715B1A82906F7466CA63AE5BDFAB0A7730DBEDAAF622ED7FC5471D9F036813D423C33CDB4CC80BA9A8AFCC8387E365FDB7148B84BF2BB8B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>... Generated by WBEM Solutions, Inc. SDKPro 3.0.0-->...<xs:schema xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:class="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData">...<xs:import namespace="http://schemas.dmtf.org/wbem/wscim/1/common" schemaLocation="common.xsd"/>...<xs:element name="VirtualSystemIdentifier" nillable="true" type="cim:cimString"/>...<xs:element name="VirtualSystemType" nillable="true" type="cim:cimString"/>...<xs:element name="Notes" nillable="true" type="cim:cimString"/>...<xs:element name="CreationTime" nillable="true" type="cim:cimDateTime"/>...<xs:element name="ConfigurationID" nillable="true" type="cim:cimString"/>...<xs:element name="ConfigurationDataRoot" nillable="true" type="cim:cimString"/>...<xs:elem

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\DrawContent\DrawContentNoname.exe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144872
Entropy (8bit):	6.1033991888043255
Encrypted:	false
SSDEEP:	3072:Poib/ncfh8z2geq5CpLFuAzpXDGX12HBt:zb/6RpugpY2HBt
MD5:	D0C679D73048A8AF8C5F483BDBCAF0A2
SHA1:	6AFEBA5B8C5A390B2A487590A5EE7E10ABFEFE6F
SHA-256:	952451312864D1CF98C137EF6B5048F325325CC1237B1D1DB26819839ED7FC27
SHA-512:	BCFF13C8FD3B01AA5F8BA54D91ACE7E74EF5A370808B517471271FE39318938DECAFE5A40D26A94D46D3DBB2E5EB152209828269EC86B210B04C3C13B13DA23F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.I.Fz..Fz..Fz.+...Fz.+...Fz.+...Fz...~..Fz...y..Fz......Fz..>...Fz..F{..Fz../s..Fz../...Fz..F...Fz../x..Fz.Rich.Fz.........................PE..L...N.;^.....................<....................@.......................... ............@.................................T...P....@..................PC..............p...........................0...@............................................text............................... ..`.rdata...\.......^..................@..@.data...L.... ......................@....rsrc........@......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\LICENSE.3rd

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	6264
Entropy (8bit):	4.246298126375936
Encrypted:	false
SSDEEP:	3:Pf3v3vP3X3P3PPnHnPXvHf/H3PnXnPfnPHnvfP//PHffH3H/v3PnfHXP3vP/P3Pr:b
MD5:	DDDAB64301999870824A2CC0E358689B
SHA1:	664263BF0641B55AF72EFBB6A9AB91AC77673D54
SHA-256:	DAAA8FC859B10444E218800FC15E2E7560EBF59E269BB58DD8D82C9305F73C6E
SHA-512:	DABA1DC82031056430E0150DAD18B43BB3D4A6AFD67E802BC7F867D274E1221F5BB9C12EA3213148FB6114FB79559C86E141C75D828ADC11F7C4372E70072827
Malicious:	false
Preview:	"z.rz.....r.b...z..bz..bJ.rjRjR*..B.2zbbz.Jr:..z2.....j.....Jr.b."".Jr..BJ....z"....."J....JjR...z2..r..z2..BJ...z2.....J..:z..r".....B...j..z2..B.bJ.r...bz..jRjR"J....J.j..J.bJ.....jRjR..J..r.....R..Z..JZ.z.B.R..Z..JZ.zr"ZJjR.z..J:B..B.J.....j......R..Z..JZ.zrjRjR.BJ...z".j.......".Jr..zj.Jb".2z.j.Jr..r.......z..".J.r..B.jR.z....2Jb..j......"J...J...".....r..j.r....z.J"Jr:.J..J.jRrz...zb".2z....z2J...J.Bz....B....Bz.....J..r..zr.r.b..r"jR..z.J"Jr:..B....BJ..rz.J...r"..B....Bz...r.j.J..Jr.b.""rjRjR.BJ..2Jb.J....z.J"".....J....J.B.rz.....".z..Jj.bJ"......r..rjR.B....Bz.........rz.bJ..JbJ...J2.J.........r..".j.:..z..z..z...z..jR.zj......B...z..r.J.:..2.*b..z."zr:..B...b.j...z...J.rjR.....z2...:.rjRjRjR..B.2zbbz.Jr:..z2.....j.....Jr.b."".Jr..BJ....z".....".JbJ.jR...z2..r..z2..BJ...z2.....J..:z..r".....B...j..z2..B.bJ.r...bz..jRjR.z..J:B..B.J.....j....b.".JbJ..".bz....jB..r:.B...:j.Jbr.zjb....*bJ..r.:j

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\LICENSE.libcodecs

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	311
Entropy (8bit):	5.363090655038483
Encrypted:	false
SSDEEP:	3:EGLzVYRFoUgLhHx0iFolaXM+MA3GtfX2SMOFrNNRJhl//bB9bPL9RbtBnbPZrVTF:EGLzWF65x0mq3kJO9NX
MD5:	433000AA79D90F93C87E11F86A786F67
SHA1:	A1B8B8F69884A4CE9BB433D96ACBED3337C5AE5E
SHA-256:	08E569EEABC5D4082F4A59142F22534FF57F12F991CD4E1A36811511799EF109
SHA-512:	DB752A2D65D8F276D6225A7C478EB1674EE3B0829CA57272A54D55C1C9E25A9E9DDD93699E41D6CF53E36313C8DDF4C0C034EDAC765139124620F0E5FFA99E8D
Malicious:	false
Preview:	libcodecs is part of the "Huorong eXtendible Stream Scan Engine" project copyright by Beijing Huorong Network Technology Co., ..6...&,:8 648..,...4&4<.46.."64....4..4.$.. 2...4.pbT.f4..4..p4"4.<&.^.:&,8.f,84".4..fp^f......V.4.2.&&.. ..84.8 64. 2.&,:8 648..,.." .. ".p,.n.:..........0,...:.8 $..<.6...&,:8 648...

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\LICENSE.libdt

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.406360206907183
Encrypted:	false
SSDEEP:	3:EBjMWEXRFoUgLhHx0iFolaXM+MA3GtfX2SMOFrFjJ//bB9bPL9RbtXhbZrVTl/9z:EJuF65x0mq3kJO9/
MD5:	5E48AE384DD6874C64E8129FAA0F4D1F
SHA1:	9A7A273EC1E97FA80304A51A5874E2C40E68D993
SHA-256:	4CA63968FCBE57FE9A9079DBEA85375B6129ABFF45CFB42E24A7F1DDF044943A
SHA-512:	20552DEBAAACF783BB128EB2A619125507921E9E3971EE43EA9613F681FBFD3BA711CD774E1DB9EDD7B56C36D1181DD42D8BB73C0AAE0CA3BEFA20E0B482BC17
Malicious:	false
Preview:	libdt is part of the "Huorong eXtendible Stream Scan Engine" project copyright by Beijing Huorong Network Technology Co., Ltd.....:6..,...4&4<.46.."64....4..4.$.. 2...4.pbT.p4"4.<&.^.:&,8.f,84".4...4.., ".......V.4.2.&&.. ..84.8 64. 2.&,:6..,.." .. ".p,.n.:..........0,...:.8 $..<.6....",8 ."..

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\Microsoft.VC80.ATL.manifest

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	376
Entropy (8bit):	5.187860451409661
Encrypted:	false
SSDEEP:	6:TMVBd6OjzIIBeBXVL9obRu9Td8gH9aO/5TMiX1+jSQdS1vwIgVf+ZaYf7:TMHdt4IBeBFLOwHR5TNl+rmxgVKaq7
MD5:	0BC6649277383985213AE31DBF1F031C
SHA1:	7095F33DD568291D75284F1F8E48C45C14974588
SHA-256:	C06FA0F404DF8B4BB365D864E613A151D0F86DEEF03E86019A068ED89FD05158
SHA-512:	6CB2008B46EFEF5AF8DD2B2EFCF203917A6738354A9A925B9593406192E635C84C6D0BEA5D68BDE324C421D2EBA79B891538F6F2F2514846B9DB70C312421D06
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>. Copyright . 1981-2001 Microsoft Corporation -->.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable/>. <assemblyIdentity. .type="win32"..name="Microsoft.VC80.ATL"..version="8.0.50727.4053"..processorArchitecture="x86". />. <file name="ipaip1.exe"/>.</assembly>.

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\Microsoft.VC80.CRT.manifest

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	314
Entropy (8bit):	5.140999301390513
Encrypted:	false
SSDEEP:	6:JiMVBd6OjzPbRu9Td8gH9bZELrbvm/53SMiX6+hPABdS1FggVfgk5Z:MMHdtlwHHJ53SNK+hPIRgVR5Z
MD5:	710C54C37D7EC902A5D3CDD5A4CF6AB5
SHA1:	9E291D80A8707C81E644354A1E378AECA295D4C7
SHA-256:	EF893CB48C0EBE25465FBC05C055A42554452139B4EC78E25EC43237D0B53F80
SHA-512:	4D2EC03FF54A3BF129FB762FC64A910D0E104CD826ACD4AB84ED191E6CC6A0FEC3627E494C44D91B09FEBA5539AD7725F18158755D6B0016A50DE9D29891C7E5
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable></noInheritable>. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86"></assemblyIdentity>.</assembly>

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\common.xsd

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	6812
Entropy (8bit):	4.737569607251046
Encrypted:	false
SSDEEP:	192:z6H9K9r24/jtVOuVG/PCGHhWrrIafb7fL5qlz+DLSQ7LXOgF:VNtLz/Y3xB6rPPlyz+Dt
MD5:	D7216C4C115C30D3DC996F339C2197E2
SHA1:	9C90B140316FFB6AF090BD80DF40EA744D555B11
SHA-256:	946C1E2C50EA753E2CF3F40CB4A83C319E0D5693C3B017AD3F9811792319D2EE
SHA-512:	9A0F133B8517B86A29AAA0F541573842A4B76D6DE30C1167D4EEB2F08D0568CE94ABC81341049BFA328D85DFDC8D8B74177B9A896107C2438168EA4EA5B47FC6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8" ?>.... DMTF Document number: DSP8004 -->.. Status: Final -->.. Copyright . 2007 Distributed Management Task Force, Inc. (DMTF). All rights reserved. -->....<xs:schema targetNamespace="http://schemas.dmtf.org/wbem/wscim/1/common".. xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common".. xmlns:xs="http://www.w3.org/2001/XMLSchema".. elementFormDefault="qualified">.... The following are runtime attribute definitions -->.. <xs:attribute name="Key" type="xs:boolean"/> .... <xs:attribute name="Version" type="xs:string"/> ...... The following section defines the extended WS-CIM datatypes -->.. <xs:complexType name="cimDateTime">.. <xs:choice>.. <xs:element name="CIM_DateTime" type="xs:string" nillable="true"/>.. <xs:element name="Interval" type="xs:duration"/>.. <xs:element name="Date" type="xs:date" />.. <xs:element name="Time" type="xs:time" />.. <xs:el

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\hi.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	8544
Entropy (8bit):	4.277108053686666
Encrypted:	false
SSDEEP:	192:WvI+bMk4g+7rdT2sc4EtGXQgcWh8bvPgLIjJQ9tkTjIkja4tEDIzqIrpKaF13aSy:Wv9oq6rdT2T4EtGXdF8jPgLIjJut2Ik0
MD5:	E34E94531BAF8957EBDFB5ECCDC52635
SHA1:	D7139BDF34F6F167456014D4D5E16CFDFCC18214
SHA-256:	5AF2CC87FE9FA69DA65C990070EE17AF3F612E3883621BD2474161BB508E454F
SHA-512:	CF3F4BCF0F5DC35BFC77594FD8AD4E9C6BF32291DAE2298C84B3A465EDB4B75851C0A58F39BB6828EA69E31293E5A4DA5DAA29F4B3F31306F37941491992FC58
Malicious:	false
Preview:	..........N.....N.....N.....Nr....N.....N.....N.....N.....N.....N.....N.....N.....N"....ND....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N1....Nb....N.....N.....N.....N4....N`....N.....N.....N.....N.....N.....N.....N.....N=....NI....NU....Nd....Nv....N.....N.....N.....N.....N.....N.....N/....N>....Nw....N.....N.....N.....N.....N.....N.....N'....NX....Na....Nm....N.....N.....N.....N.....N.....O.....O&....OI....O~....O.....O.....O.....O.....O^....O.....O.....O.....OI....O~....O.....O.....O.....O4....Ov....O.....O.....O.....O+....Og....O.....O.....O.....Oy....O.....O.....OV....O.... O....!O...."O....#O)...$O2...%OA...&OS...'O_...(Ox...)O....*O....+O5...,O....-O.....O..../O....0O....1O"...2O....3O....4O]...5O....6O....7O....8O....9O&...:O....;O....<OB...=O....>O....?O....@Oc...AO....BOo...COY...DO6...EO....FO%...GOD...HOk...IO....JO....KO. ..LO' ..MO6 ..NOO ..OOq ..PO. ..QO. ..RO.!..SO.!....`!............... .......

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\hr.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4256
Entropy (8bit):	5.476332948782519
Encrypted:	false
SSDEEP:	48:nizQz4KzjHCKvMzSBvdI0s4TkqZfDhPhbdAQv7Dg3M3Y2UUzgJJC+Mo1tMoIJcAO:i8z4KPnM+JdLsY5xDhYrhRjaBVI7vr
MD5:	7CD82242FDDA155F0DC4C830A73225C4
SHA1:	436A156C8016B96B83B11931FF9562F29D805977
SHA-256:	0096FD57392462D010E9B4DDDA4D021A8B5E5BA78FF097958C1E7A00EC175A2B
SHA-512:	2C5133E3673D8470AF6067AF2E5B7D2150B71D3D87379CD94574F72E3CA2B251C08C7F7F530F705CB2EDD8D96263BA9A205346B5704238FC748180235C6809EE
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N ....N&....N.....N6....NE....NU....Nd....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N&....NF....Ng....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N3....NA....NG....NR....NV....Nc....Ng....Ny....N\|....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....O$....O,....O9....OZ....Oj....O{....O.....O.....O.....O.....O.....O.....O!....O.....OO....OS....O]....O{....O.....O.....O.....O.....O.....O.....O3....OO....Og....O.....O.....O.....O.....O.... O)...!O5..."O@...#OF...$OL...%OS...&OY...'O_...(Ou...)O....*O....+O....,O....-OZ....O..../O....0O....1OV...2O....3O....4O....5O....6O....7Oj...8Ow...9O....:O....;O....<O....=O....>O....?O....@O8...AO....BO....CO....DOe...EO....FO....GO....HO....IO....JO....KO....LO....MO(...NO0...OO7...POR...QOj...ROr...SO}.........DetaljiSpremiOvaj je indeks mogu.e pretra.ivati. Unesite kl

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\hu.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4734
Entropy (8bit):	5.650888808404625
Encrypted:	false
SSDEEP:	96:+AA8bFIK4pwdJj/JqLn5yEnxSabw7rMVrCtZcqRcU+EFUkozbFFJOHVOrS:FAmkp4JjJqLnoxscZcqRcnEmko/FPO13
MD5:	8C5F95F081F6A23A2D058562A24224FC
SHA1:	0D8E3138654B66998341B1B4D07CB6E0CCF56DA3
SHA-256:	2288098F91E90D5F5583A42ACDB4D278A8438656A190EBC57FCC034FA0110054
SHA-512:	4D4A183A07B4014848DD5B50F520BA43ACDB37C8A2E280E32CC080A6FCDE8EE5D758CD0ED71A104E6FFDF3566BAE08A1141D666E0951344D98F802C9381875B0
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....N2....NF....N\....Nt....N\|....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....NL....Np....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N+....N/....N5....N=....NS....Nc....Nj....Nz....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N$....N9....OD....OS....O]....O{....O.....O.....O.....O.....O.....O.....O.....O,....OI....Ob....O.....O.....O.....O.....O.....O.....O.....O.....O.....OL....Oh....O.....O.....O.....O.....O.....O....OH... Oe...!O\|..."O....#O....$O....%O....&O....'O....(O....)O....O....+O+...,Oy...-O.....O..../O3...0Op...1O....2O....3OP...4O....5O....6O....7OH...8Oh...9O....:O....;O....<O....=OE...>Ok...?O....@O....AO....BO[...CO....DO....EOt...FO}...GO....HO....IO....JO....KO....LO....MO....NO....OO....PO....QO=...ROF...SOQ.....~...R.szletekMent.sEz egy kereshet. index. .rjon be keres.si

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\lco.exe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	7.307434278749024
Encrypted:	false
SSDEEP:	384:azbge2/99IpWUFyCKaMgXGT/bl55oqyfvN:azb619IpWUFyQiB55aH
MD5:	E057AA4A56A9A2A628A8053F25A27D7D
SHA1:	D839E5258BBDB871C746C2CEF52E336487535C47
SHA-256:	2519081ECA56FADCF3B62E7CB22E55A1F839B9055E9F1E404FC28145D149E913
SHA-512:	D968AA76B1483A14B7D829C755A99C7AD09163D18DA6806F23B3A33664292F16A4695B596B0D2BE619A3B6DC909CFCB8CB7FF236641D1CC012E4F438364945E7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y.P_=.>.=.>.=.>.R.5.<.>...0.0.>.R.4.'.>...c.>.>.=.?...>.i...<.>.Rich=.>.........PE..L......@.................0.......p................@.............................................................................t...................................................................................................................UPX0.....p..............................UPX1.....0.......,..................@...UPX2.................0..............@..............................................................................................................................................................................................................................................................................................................................................................................................................................1.20.UPX!....

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\li.dat

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.3431390622295662
Encrypted:	false
SSDEEP:	3:dU6mWhRE4Qm5In:vmWhlQ6In
MD5:	233B4AAF620B36D5569FFB334806A663
SHA1:	99E4C2ED4447B3CA2772F11374E7EC22DF06A04B
SHA-256:	C0F5633F8058E6CF0FEF5CE6AB91438663A1AE2670CB49350E095D8F667C9870
SHA-512:	24F4006DA19AE7B10408250AB326DB4EABE6E782BECCE130C0F25D2D0E43E738624CFD490BFAC0A8A6BD6E164C01FB76CD69BC050AD0BBF3052A854A516B0170
Malicious:	false
Preview:	47AE4CA89C38F4D75F115CF41887F878

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\livehis.dat

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\package.json

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	Non-ISO extended-ASCII text, with very long lines (766), with no line terminators
Category:	dropped
Size (bytes):	766
Entropy (8bit):	4.058458203323675
Encrypted:	false
SSDEEP:	3:Hf3xVxLvT5X9dz7bvfdz7JvV7zVBtD33pRXhXDhRZDR7z9fjdzp93xh/Td7f11tx:v
MD5:	5E41AD36487EAB944983A14C9C124D93
SHA1:	B8B098B88CBFF2F64589ABDBE7FBEFCA7C99FE3C
SHA-256:	26C6BCF0EFF67807AEB9F2F407D06DF653B99724AFAD9C9A9B8129DB7D8C3FAE
SHA-512:	F876BD1E49BB0C0B0660E14DD2D95C75F2124AFDE00D095674E53D0440B7BA7B89BC1A2576A9FE755B5C727E5808DB1C8A127CE4E4B2C124257412B76A200FD2
Malicious:	false
Preview:	....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\rpi.dat

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	972
Entropy (8bit):	5.7488500702321135
Encrypted:	false
SSDEEP:	3:Fjjlnn5tllNTFllxXxjX/DNZH1/HnDD/trvDlL5TrjJrdbXZVtX5L3dlj1b1hX7x:r
MD5:	6513F31AB6F308B0B8802FA04C450122
SHA1:	AD3D14C5F78B5C2F2C4DAE06A486156A7B4126E9
SHA-256:	1445C8422A8FF14D8414300B819CBF2340A03A64158FCF7A3CCF76FDDB10DCA2
SHA-512:	CFB2754253E71B48EB6D69BA93641D06C0608C38FFFDCE2F5E54CED002997C9821299BADF26D95B2D84A41F13CA96A4F9D1C5E38D52DB2934AEF64C988844D98
Malicious:	false
Preview:	....0...............b.\.`.\.`.\.b.`.`.b..............................................8.......................................................................\.........................................................................................................................X.4(.~x.x.b...P.....Jt....f......VD....H.V.Z..~v.8.&h.x.x...F`....J.P\|.2.P....h....F..j...h\|......~r.0..:...DD....>.B`2..x.FP......H.4.P.............x.....P....... .........6j4......X4H.z..D.x.b.....Nt...l\pn44.@.n.........&......t2. VP.tx6.4..F..h.^..v.^..6.L.....n..\|0@.R..P..x.J...(..lj.....&n..~.dV....td.B.....F..2:~...l..X\..0.`.....<.&.....@.N... t.z...Pr..Z..t..L.h...L..t..:.$..<.vx~..$>....L.xb.xJ......L&v..v4x.p.."B.@n.6....,.(V.x.R>64.....v...~...J.d..&......\JH.t..V...".0..n.TPd..,0......0.2.r.\|.....:....2n...v..6...P..D....$.....8.&r.Fh(.d6.....J.n....$"...Xz<.2B~.z..H.....BV.X..\,.2.j...`..h@...j......8X((.b..6(B.@D..b...6j..l&0T.<.(.T..

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\slist.dat

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	2356
Entropy (8bit):	3.7394907365919403
Encrypted:	false
SSDEEP:	3:nFrrxzj79bNZbHNbZdT9LbdHr/bfblpbdXzbrbrVd9P7XF5V3Rbb/NjbdbF9X1TH:R
MD5:	3CEEBAAA7FC6344B0274AB9274DEEED7
SHA1:	38832454403400441F9824C2265256A650C947ED
SHA-256:	F526024533673E6F167903F21978017EC712566E9EA1DD249671F119719F8DE9
SHA-512:	3E63A0F5764A59E77E5B0C4680DCCB33D1D52B4E622F84762D9949B736A6BDAB416BC72F3D2501BA90D46414186EC2C42677D1528E7186128D96082C32CB00D2
Malicious:	false
Preview:	..$.......................r.r.\|...........z...r.x.......x.....\|.....\|...x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F.....6.<...4.F...V.\|...........8.<.:.............................x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F...<.2.4.$. .".F.......V...<.....4...4..........H.\(X(N......$.........x...\|.z...r...x.r.........v.......x.z.....t.x...z...........x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F.....6.<...4.F...V.\|.\|.....v...8.<.:.............................x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F...<.2.4.$. .".F.......V...<.....4...4..........H.\(X(N......$.........v.......\|.\|...............z...\|.....t.......................x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F.....6.<...4.F...V.\|.t.r.......8.<.:.............................x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F...<.2.4.$. .".F.......V...<.....4...4..........H.\(X(N..

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\version

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	F1D3FF8443297732862DF21DC4E57262
SHA1:	9069CA78E7450A285173431B3E52C5C25299E473
SHA-256:	DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119
SHA-512:	EC2D57691D9B2D40182AC565032054B7D784BA96B18BCB5BE0BB4E70E3FB041EFF582C8AF66EE50256539F2181D7F9E53627C0189DA7E75A4D5EF10EA93B20B3
Malicious:	false
Preview:	....

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\HoursBroker\xml.xsd

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	9123
Entropy (8bit):	4.770624688403829
Encrypted:	false
SSDEEP:	192:FavQwyIregmSPwTy2k/3EeEQ6xGbd81PyCmD0DE:UvQwytg1425vE5bPEADE
MD5:	9FE2776E8A9D4BCFEE812A69F37DDABD
SHA1:	6264C527A996806B0C439F17C56B2E96DBF0FA82
SHA-256:	0BCA167A1B2FAABF9F2BB59A7C55C09B25C71974DB4D6125F91A14B7071F5E9C
SHA-512:	89D00A7602FC47858A0B0ADC81CDF4F63CBA0728EDA0B9824EA9DCC09B39A596A61034DA5001377444D6B6E07B454028DF528E722F5D2D268A50B296E2990259
Malicious:	false
Preview:	<?xml version='1.0'?>..<?xml-stylesheet href="../2008/09/xsd.xsl" type="text/xsl"?>..<xs:schema targetNamespace="http://www.w3.org/XML/1998/namespace" .. xmlns:xs="http://www.w3.org/2001/XMLSchema" .. xmlns ="http://www.w3.org/1999/xhtml".. xml:lang="en">.... <xs:annotation>.. <xs:documentation>.. <div>.. <h1>About the XML namespace</h1>.... <div class="bodytext">.. <p>.. This schema document describes the XML namespace, in a form.. suitable for import by other schema documents... </p>.. <p>.. See <a href="http://www.w3.org/XML/1998/namespace.html">.. http://www.w3.org/XML/1998/namespace.html</a> and.. <a href="http://www.w3.org/TR/REC-xml">.. http://www.w3.org/TR/REC-xml</a> for information .. about this namespace... </p>.. <p>.. Note that local names in this namespace are intended to be.. defined only by the World Wide Web Consortium or its subgroups... The names currently defined in this namespace ar

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\KwCommonUI.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1020288
Entropy (8bit):	6.392670889032173
Encrypted:	false
SSDEEP:	24576:m25q2rSATcolN/NKEM7GYNzOgcW6tAhc7rgnFEwXXfe5V2:m25q2rPlN/NKEhYNzOgcW6tAhy6EwXXb
MD5:	C87054BA4A83C6CA19977C446A722A7C
SHA1:	5743B16BC6D600E27B66D13CC04208BAE2A9A880
SHA-256:	6CB166C1895FC7DF5235658E3963C82200BBE5E71005FDB4F8744657A7F49B09
SHA-512:	87449A5FEF2B2B77198E0D946452F8E05B8F2B7ABAE239EDB2B848BD5E3F7A332A208DE71CAC7912D788CD1C47F80FA2BE9ED61DE2F8EA378E610A1DC0C46A9A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c..('.`{'.`{'.`{s.Q{%.`{.V.{!.`{...{&.`{...{".`{...{+.`{'.a{.`{.V.{2.`{.V.{&.`{...{4.`{...{f.`{...{&.`{9..{&.`{...{&.`{Rich'.`{................PE..L....,WT...........!.....<...8......c........P......................................`...............................p...30...t..T....................x..............._...............................................P..P............................text...-;.......<.................. ..`.rdata.......P.......@..............@..@.data...@...........................@....rsrc...............................@..@.reloc..r...........................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\KwLayoutMgr.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	287616
Entropy (8bit):	6.429805120462574
Encrypted:	false
SSDEEP:	6144:54s5ND8mRd6PUep7GdwmT+8b/IgcyIFoWIBOtBp2HsoM:5D5ND8mRd6PUep7GwmT+c/hOIg2Mp
MD5:	F260AF60120ECE46C499BADA5B4277AD
SHA1:	F1790AAC72B10A4BD4D88E9A143B96BE996197AC
SHA-256:	D52D01E382EA39D005F7AD2F3C13DA45B4DE4779608E08A9FB1AD5630D122043
SHA-512:	19FA19716965E0034AD57B0CE15BFF54DEC67D3C7E73408ACEC2E642E82DE4AC1E0C42E19CA58C494A1F95014980FDBDC9D904701F2CB421C993B9660F3C5C89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............@...@...@...@...@{.C@...@.@@...@.V@...@.Q@...@.F@...@...@...@._@...@.G@...@.A@...@.D@...@Rich...@................PE..L....,WT...........!.....B...................`......................................X.....@.........................@................0...............J.......@...2...d..................................@............`...............................text...T@.......B.................. ..`.rdata..#....`.......F..............@..@.data...\...........................@....rsrc........0......................@..@.reloc..tD...@...F..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\KwLib.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	306048
Entropy (8bit):	6.678408876122077
Encrypted:	false
SSDEEP:	6144:YxgkPaSM1AoCbO0PSyTws4H9pAKz6QRWO2TBdHRrtYOttYO7l:YDPaUBKODmH9pdXRWO2TR/
MD5:	2E63EA70505847A7DB340F5004FDDE71
SHA1:	A4DA7AFF18A9A747490633F5490959BAF75658B7
SHA-256:	87AAB5BBBD2360C819B4E58BB0667693147764BA39FCDCBD3549ECA1D57355E3
SHA-512:	7DF80C017E2F5D1E40CB41795F40E82025B5ED188BD5AF4C812D24F9E8C77438C259417E8592C4D528D37DA495815A057623CCFA67DF35B27980847DBA91AEF5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........L.}...}...}.../D..}....S..}..M2V..}....U..}....C..}....D..}......}......}...}...\|....J..}....R..}....Q..}..Rich.}..................PE..L.....4T...........!......................... ......................................&.....@.............................Fk..p...................................L....%..................................@............ ..\|............................text............................... ..`.rdata..F@... ...B..................@..@.data...(....p.......N..............@....rsrc................T..............@..@.reloc..f8.......:...X..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\KwLogSvr.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73088
Entropy (8bit):	6.419370395015747
Encrypted:	false
SSDEEP:	1536:OD24dyONDcOUOM498ldXs2xnQ+xcLP0OK2LBaNwF:X4kOO498laIQ+xcoOK2LBaNwF
MD5:	15F1FEC47E3AC4A2AE67BDE110CA698C
SHA1:	84EA58DEA72D9FE5B36ED64BEF2C19A43DF90EC1
SHA-256:	003D0E9F37639687CD72F8499743F88B54388A81E4322260280A70C0E601AE21
SHA-512:	C42E8F04FBFCE139D8365CC69CC161469FBB5443A2ACD9CCBBC584F85B04ABE2DFDDCAD1D53ECFB2AB54EBF004F5F10B730A2E677BBABFAD56400BEA7371AEEC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P.r.1.!.1.!.1.!%~@!.1.!.IC!.1.!.IU!.1.!...!.1.!.IE!.1.!.1.!>1.!.IR!.1.!.ID!.1.!.IG!.1.!Rich.1.!........................PE..L....,WT...........!.........V..............................................@..........................................B............ .......................0..........................................@............................................text............................... ..`.rdata...<.......>..................@..@.data...4...........................@...ConfigVe............................@....rsrc........ ......................@..@.reloc..:....0......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Lastnama

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:I:I
MD5:	C2AEE86157B4A40B78132F1E71A9E6F1
SHA1:	162CDC2A8B567050EAE25592EEEDAF33464A7A76
SHA-256:	46DB1CA7F3598C26C3E6C8D99E3ED95D2B1C76DB040B8F8CD29AF723EE086077
SHA-512:	784CC010C961A58B42984A4EC538D299AB92C01CB95171C220FD26C473491F839FD032960DC148C866DA45411D4ACB93188F0F7857F6F2C09DDF3E9FF50248DB
Malicious:	false
Preview:	892

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Lastname

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:U:U
MD5:	43FA7F58B7EAC7AC872209342E62E8F1
SHA1:	F022DA4E40566305C0C8F39FD8F4B83DD5368834
SHA-256:	96BB293AAA330EF307EE004448B92B75FFDC25ADE2831ED23FC60FFA97FFFB7F
SHA-512:	64B5514668BDBE6ABE7F86ABD790005F46D593D8E3EFB785C87DD8BA9035B8BC5FC72001DA81883391B690A5191057062EE711401C3E95C1935A3D3FFED138FE
Malicious:	false
Preview:	816

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Lastnymc

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:kQn:kQn
MD5:	82F2B308C3B01637C607CE05F52A2FED
SHA1:	75D2A5A3C528920D00425F29099EED114B9134E0
SHA-256:	5C3E9040008C91509E2D28E5308034B677D4E2CC0B386863D4883BDB747EBA1C
SHA-512:	91CCE11EEDA35FD527AC3DDBB930281FCB14AF0EE46412D7A389B59AEA3F8D56F3D46E2EC3BE167406AC4D8FBBD4F7C1246C8F1E30384FDC913703A48D36E4BD
Malicious:	false
Preview:	725

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Lost

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	14
Entropy (8bit):	2.7534343861887853
Encrypted:	false
SSDEEP:	3:ldNojgn:3NoEn
MD5:	5224444F84FC62353F98AD824C1B4F7F
SHA1:	9BC379C9B01210F9AC136B87039584FEBFD8465A
SHA-256:	F47FFEC6EA87BE558D26F9585C02E06A1B657959E4FA1A0EBEB883504BE2EFD4
SHA-512:	387BDACC1827D046D28AE73352E6D85DB018B06F70146952AB92EA004CD46F8154F5BB9153F17DADB5F6CB20CF6352AB6D1D4B1866076F97427D26F11C9D1FA0
Malicious:	false
Preview:	+/.4"(4++)4+)#

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\LostHe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	9
Entropy (8bit):	2.197159723424149
Encrypted:	false
SSDEEP:	3:1Z:1Z
MD5:	0D7C1D8AE080978B8436817C87C11684
SHA1:	C83087520942084476EF74151BF451A0557993DE
SHA-256:	53D24F3BC80C44785C7645F347A17942B607CAA451FC2337F458EA0A73F920AD
SHA-512:	8605C26C90441DFC7DEE0C5816DF5DDCEF42D4A02DE7D819936A60C10A57191AD67F0B95F23FE8CE085EF5F156FBBC57303B44A995AB13B2B8CC941AAB73FEFE
Malicious:	false
Preview:	.cf......

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\LostP

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:K:K
MD5:	49394C8AF72820A1AEB5C9924E2D9281
SHA1:	9F09DA9131EE0047BC4E368ECFF439F0F5E250BF
SHA-256:	631102D19F7CFA51907975CF02066DE70C2F4B5B6A4E3A7F9C4871719DC2A97E
SHA-512:	A3D662166699AC8784C01E0B7EF5D8F7716136B87EE0CB9FFBF5F45F730B8470E7ED57A90956E1F0FA4F4DE5C5C60960AF8622493EBCC88B2A0929FE798BAD60
Malicious:	false
Preview:	,)-*+

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\LostPHe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	0.9182958340544896
Encrypted:	false
SSDEEP:	3:tH:1
MD5:	E62595EE98B585153DAC87CE1AB69C3C
SHA1:	40B904FD8852297DAEAEB426B1BCA46FD2454AA3
SHA-256:	38760EABB666E8E61EE628A17C4090CC50728E095FF24218119D51BD22475363
SHA-512:	84387A560C74CD17A3E1D618181BD7734CACDB1D7B5A52EDF20FBB27C4FEFE25BD4F839C12E842C61CCD57308FD6A6B3987DC237ACCD213B9818D751C3990C10
Malicious:	false
Preview:	aab

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\LostPShe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	0.9182958340544896
Encrypted:	false
SSDEEP:	3:tH:1
MD5:	E62595EE98B585153DAC87CE1AB69C3C
SHA1:	40B904FD8852297DAEAEB426B1BCA46FD2454AA3
SHA-256:	38760EABB666E8E61EE628A17C4090CC50728E095FF24218119D51BD22475363
SHA-512:	84387A560C74CD17A3E1D618181BD7734CACDB1D7B5A52EDF20FBB27C4FEFE25BD4F839C12E842C61CCD57308FD6A6B3987DC237ACCD213B9818D751C3990C10
Malicious:	false
Preview:	aab

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\LostShe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	3.0269868333592873
Encrypted:	false
SSDEEP:	3:q1vC:q1vC
MD5:	213802ED7972AEAFE6237FA1453F1FD0
SHA1:	794A4B01CD429D110180DAA19204A098C42F11E6
SHA-256:	398380CF3867FE7C45A44E02C5542299346B631E627DB931B1FB4C8BE82C58E7
SHA-512:	FE6CFC85A06969389B3AE345C566AFEE7F55F011425070B9AD6342F474266A440EFBA98EA8181DF1AE24A3C617E6CF2A3C916740198F3FEB1B70B5B403A537CA
Malicious:	false
Preview:	af.cbe.a`..`g

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\MemDefrag.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	67184
Entropy (8bit):	6.560571950422605
Encrypted:	false
SSDEEP:	768:mE8Ush0dMK0vVZdisbH8iBRq8aZ+LhN3r22t19zS4Kye8pOxbGew2MSPDGjENAMb:mE8tSiKlqcHFChNbj19znKy92bGjwx9
MD5:	D9E742CB7C33C378602A144904756845
SHA1:	6E9C521A8E657FC8B46312AD79C1C7CE08C10766
SHA-256:	29626F619DB47C528EB910C15CDF2D139B512024331DAC91E7C562DF4FF297D8
SHA-512:	4474909CEE6BEA404918A0D9650D72F766A0FB27A5BB7A0BAD04BBD6F6F05EBEC11BEAE9080B4BD9E7A55A8614517B7A7F1DCF49F68308E51AEDACB2FDAC164F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.x.)...)...)... ..%....K.+...{..."...{...-...{...1...{...-....[..(....[.."...)..................(.......(.......(...Rich)...........................PE..L....3.d...........!.........T......g{....................................................@.........................@...X...............................p2..........D...p...............................@............................................text............................... ..`.rdata...<.......>..................@..@.data...<...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.Bcl.AsyncInterfaces.exe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64960
Entropy (8bit):	6.573463392054397
Encrypted:	false
SSDEEP:	1536:mbT78So0kats7efpLfvQcl/h5GDwVwZtyA+7XXxDp:mT8Syaq7SBQ35+b/
MD5:	644F4DF789E7B1CC9DE8FCAE8A9B7035
SHA1:	DA389C035C18342DAC47D82333E6F6A9D54E067E
SHA-256:	D2A5F4C9A8DE1FFA1482277889D71738F220DDBD287A279FA11CF2EB4FC1F0E8
SHA-512:	5B49BC385D6460F60FE5D598FCA27E68378A2D7752FA0A9ED7956A1B16B1CCF22EF6300AA8A36AD284047B7D8C4A2654EFFECA845BEC24D21BC9E727A7F39349
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.F8..(k..(k..(k..)j..(k...j..(k..)j..(k...k..(kH.)j..(k..)k..(kH.-j..(kH.,j..(kH.+j..(k.-j..(k.,j..(k.*j..(kRich..(k........................PE..L.....%e.....................N......@\|............@.................................H+....@.................................`...@........................)......P...d...T...............................@...............H............................text............................... ..`.rdata..@:.......<..................@..@.data...............................@....reloc..P...........................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.VC80.ATL.manifest

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	438
Entropy (8bit):	5.302102385514918
Encrypted:	false
SSDEEP:	12:TMHdt4IBeBFLOwHR5TNl+rmxgVKaGNLzIZ:2dtFEDCwHTTNl+rkgkJNLzc
MD5:	1CCB36CF4D7744F2A2449710032573F8
SHA1:	22C61BCDFB941EB6AA0829F8FECAA7B716895BF4
SHA-256:	8DC44CBA880E8E7A0776981FAC21094F905750C02890CBADC5059D1049D357EB
SHA-512:	53C6595A29C4636E4FDD800A48DEBF299DBFAC16396C217165BCB9D2E1B431982A1E3D5C8EA7850C178A6F6DA599DDF862DC7F64F29884EC0633A879B5B9C6B3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>. Copyright . 1981-2001 Microsoft Corporation -->.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable/>. <assemblyIdentity. .type="win32"..name="Microsoft.VC80.ATL"..version="8.0.50727.4053"..processorArchitecture="x86". />. <file name="ATL80.dll" hash="6d7ce37b5753aa3f8b6c2c8170011b000bbed2e9" hashalg="SHA1"/>.</assembly>.

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.VC80.CRT.manifest

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (504)
Category:	dropped
Size (bytes):	1829
Entropy (8bit):	5.362806750573066
Encrypted:	false
SSDEEP:	48:3rpK+higVB09kkK0hpzxU09kkKqYhzQC09kkK0FFz9:7pthNXkHndUXk8hNXkFjh
MD5:	12B6A5638A4D54F6E613CAFD04BC1C0D
SHA1:	0BD3E9F83883B00DEA8DC95112C8BBD74A14EDEF
SHA-256:	3B55C9DA463C5F6BBBD1E73398FABDC30998BC525F4FE6E586BE711E660BC800
SHA-512:	15272B53972D70C089C9EBF554DE7DD1BC4707EF2FA8D526E7022FC21C8A74AD039387FB4BB53835D0B4443227CB1AD1C1D2CFCB1D205C2729F13BD1FAF9B008
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable></noInheritable>. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86"></assemblyIdentity>. <file name="msvcr80.dll" hash="0a38b652c9d03caab803c6b2505fa301e345bab2" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>TM0VvywbHVQayIOw9CSX6M7WpaM=</dsig:DigestValue></asmv2:hash></file>. <file name="msvcp80.dll" hash="678bf3da5d1987bb88fd47c4801ecb41f51366ef" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xml

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1506), with CRLF line terminators
Category:	dropped
Size (bytes):	1860
Entropy (8bit):	5.392371898016726
Encrypted:	false
SSDEEP:	48:3SlK+vU6g49Pd09kkKKMzEAZ09kkKxrzVHNw09kkK3zY:Clt8CtdXks5ZXk8pNwXkK8
MD5:	53213FC8C2CB0D6F77CA6CBD40FFF22C
SHA1:	D8BA81ED6586825835B76E9D566077466EE41A85
SHA-256:	03D0776812368478CE60E8160EC3C6938782DB1832F5CB53B7842E5840F9DBC5
SHA-512:	E3CED32A2EABFD0028EC16E62687573D86C0112B2B1D965F1F9D0BB5557CEF5FDF5233E87FE73BE621A52AFFE4CE53BEDF958558AA899646FA390F4541CF11EB
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.30729.4148" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="msvcr90.dll" hashalg="SHA1" hash="98e8006e0a4542e69f1a3555b927758bd76ca07d"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>+CXED+6HzJlSphyMNOn27ujadC0=</dsig:DigestValue></asmv2:hash></file> <file name="msvcp90.dll" hashalg="SHA1" hash="3aec3be680024a46813dee891a753bd58b3f3b12"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:d

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.VC90.CRT\msvcp90.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570240
Entropy (8bit):	6.523986609941549
Encrypted:	false
SSDEEP:	12288:NZ/veMyZ137mSEWT0VkypLvgLehUgiW6QR7t5183Ooc8SHkC2eU8Z:NZSZ13iwJmgLq83Ooc8SHkC2eN
MD5:	232708A3FB0137133BA1787EF220C879
SHA1:	4F725F93081FE15C6AF99E32F3E97CCB22E15BFE
SHA-256:	64236B28CB287D9C912D1DB753B21BEB95009340B7ABB2717E40CE8D91946C89
SHA-512:	90DAEFA1F3D3608700074F349D0CD5E5D2EAE090ECAD07352E553F08087A2EDDEB457F235CDC7E4869C4CF24E895C05C11AF968E68CFD0B6AA8092C98DC7E4FC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#%..Mv..Mv..Mv.66v..Mv...v..Mv..Lv:.Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..MvRich..Mv........................PE..L...~LYJ...........!.....4...p..............P....Hx......................................@..........................P..,....E..<...............................43...................................%..@............................................text....2.......4.................. ..`.data...t'...P.......8..............@....rsrc................R..............@..@.reloc..HC.......D...V..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.VC90.CRT\msvcr90.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	653696
Entropy (8bit):	6.885617848989009
Encrypted:	false
SSDEEP:	12288:Bhr4UC+UumMaIYE8EoPP1cI9xPP2OKDL9QXyG2pUmRyyva:VU9FNPPbxPP2OeL9Q2pUmRyyva
MD5:	4B9B0107D35859FA67FB6536E04B54A7
SHA1:	60F5D36F475FEA96F06AC384230B891689393486
SHA-256:	EA59B23FC4799B10B07CC1E4F81BBCB7FAC712D93E2BA48DE50046E5B4C140DB
SHA-512:	324EDB6D0C618C20260417B86189C27D6E1EB00944C7F5A6C59679365E618D262C71433749DDFEF253B723F1D1B3167982B4742164A167B3CFC85C651300382B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L...yLYJ...........!.....\..........@-.......p....Rx.........................0............@..............................\|..P...(................................3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2003), with CRLF line terminators
Category:	dropped
Size (bytes):	2357
Entropy (8bit):	5.378158011805663
Encrypted:	false
SSDEEP:	48:3SlK++U6g4A09kkKNzx09kkKJpzSgd909kkKzZuzl09kkKTzY:CltFCAXkgNXkKGgd9XkxZXke8
MD5:	0323AF0C3E694D85650AE55AA27EEFB3
SHA1:	672079C9564B4EC16EFB24DC80DE3EBEAF2A9F27
SHA-256:	1FED2074AB9F90D9FCCC5A49B6AA42C917674C2B5C7B1BB93FB67B0E0C944818
SHA-512:	5DF2D8B07B3ED0CAE3536C09AECA714B56EB75BC76668447C45917E890F5D22EF14B6059BD5782FD06D075A8497BC39A89F809E413C637405AE9BE4193C66FE1
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC90.MFC" version="9.0.30729.4148" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="mfc90.dll" hashalg="SHA1" hash="ec50bf1691888076202d5831599ac75ba0d35977"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>WuUqeI7Lf0+bhIfTm0T6Pv1L13g=</dsig:DigestValue></asmv2:hash></file> <file name="mfc90u.dll" hashalg="SHA1" hash="c752d2a42c0b82d2145cebcda60c7e5a43245cf4"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft.VC90.MFC\mfc90.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3765632
Entropy (8bit):	7.006945366952565
Encrypted:	false
SSDEEP:	98304:dOPkcHVGUQywT84a5IY9IViQ0zMzlp7toNTbPXQlk3glLsFLOAkGkzdnEVEFoKGA:WkcHVMTlBp0TrwlLsFLOyEFoKGD8
MD5:	225F7A12F61B3276D12310F457822D7A
SHA1:	F05B2DFE12D946606DDF0CD7E8A15027D75718AF
SHA-256:	3CED269344FD6AC7A3872D3DA39364397193C650A497702A0849C9543601A42E
SHA-512:	EF09DBC3FF0C6F1B229B4FCFD371A05E5570FDEB296D0F051F1AFD7C2F2567CEF86E47A3DA1B6D3B4AF116D9AC9F7508C36BAC065120F4519BC960AB0475349F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y...y...y.......y.!.Z...y.......y.....y.....y.....y.......y.......y.......y...x.c.y....0.y.....y.....y.....y.Rich..y.................PE..L...ImYJ...........!......%..(........!.......%...^x..........................9.......9...@...........................$.....,.$......`&..l...........\9.......6.\.... ..................................@....................q$......................text.....%.......%................. ..`.data.........%.......%.............@....rsrc....l...`&..n....&.............@..@.reloc..F.....6......r6.............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Microsoft_VC90_CRT_manifest

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	2.9968027726780173
Encrypted:	false
SSDEEP:	3:HSu+QvdSG/cn:+SQqc
MD5:	6E17DDA977CBC993A9308145693BFE90
SHA1:	D964351BEE8764DE9CBCA186B7D1F526EB6361DB
SHA-256:	615707952EB080E6824699C73F1D914C2278E103CEA452CF4111063DD274458C
SHA-512:	3A1A40DBE7FF5911B3D42DF7C8A74470869CE3F75612A19A73256C799F2A1DD472607F3C89DAD5060AEC1FA953BDFED90A481A4413D2999D122B7AB1D8F7DA77
Malicious:	false
Preview:	577F7F777C753E756875FCD3D7619

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\N0vaDesktop.exe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5972392
Entropy (8bit):	6.868183225292118
Encrypted:	false
SSDEEP:	98304:ygUifEmDR4lEtsaowOSiL5f5aLbunw8Y6+15cmCSrw0sn/DVpFLOAkGkzdnEVom5:gifXD+Ktu75fu11CSrw0c7nFLOyomFHj
MD5:	06808B78BCC668E76A1F3B9589B985F2
SHA1:	07349BD4A98F70C0870802FCE91CE4F15DCB48AD
SHA-256:	4E560A33A3585F5F6DDD4674E8D8098B977BA3AE320ACDC4ABAC33B89CE17C97
SHA-512:	CED48BD909ACC1B4012A8FC56C8EE76CB0716611B9448465E8DE1670444C04E3B602D7F5A3AF66527EDF760DD10EAA12C68511CF1154B9B8A349D8D443B99EE7
Malicious:	false
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........B.{G#.(G#.(G#.("E.)o#.(..(F#.(.}.)D#.("E.)F#.(.z.)D#.("E.)C#.(\|}.)Y#.(\|}.)`#.(\|}.).".("E.)v#.("E.).#.("E.){#.(.}.)B#.(G#.(. .(.}.)M#.(.}.).#.(.}%(F#.(G#M(F#.(.}.)F#.(RichG#.(........PE..L......g.................Z1...).......'......p1...@...........................[.......[...@.................................@.<.X.....?..y............Z..U...0X.@y...a7.T...................tb7......b7.@............p1.\|............................text....X1......Z1................. ..`.rdata..2....p1......^1.............@..@.data...X[...`<......N<.............@....gfids........=.......=.............@..@.giats........?.......>.............@..@.tls..........?.......>.............@..._RDATA..0.....?.......>.............@..@.rsrc....y....?..z....>.............@..@.reloc..@y...0X..z...RW.............@..B................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\NULL.bin

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	125376
Entropy (8bit):	7.998479503470445
Encrypted:	true
SSDEEP:	3072:FI6dBzpxvuZ9UIQrNJ6DKxOssBCI4sB74xoGhFo4Z1J21:m6zzYsBMcsBCpO6Py
MD5:	0C21E337569640A73AF44474F44CB9F7
SHA1:	82C3C1C2602250441C1B18200F7FBDC2B6443352
SHA-256:	BC58641B4F43BE40016044046321F77DD153F0BFCE6E4E9D765711838DB13ECA
SHA-512:	7D19FBF9E907E468C34813B0E1E4F2880762573C9EFE678C36C5CA254890A4B0A008DE72E824345C3FBB838C7BAE3E3D991D46CFAF0FAA73BE89EA88DB2E3C76
Malicious:	false
Preview:	...:w.C...k....r....F...g{>..K....3==...6C..l.../.H..L.\|,..#.c....../I.....>........2.....(SH..Z..uJ...t..#Ov..p...XJ..E..8.t.....0d.Ew.DR...lZF..i0..v5.....y/......g...Z=.Z\|.)4.o.n.....i.g0..T.Z.......i...-.F&....{.'..E....G./....M....L....U..?....Ei'..\|.)..J,XnL...<..A......1..D.%I.CA.....#.-;z...g....U$.{.t.$\...$.+./...\|.@.5.0d.H..D.Ga..Tod....\{...Mj.\.....}..:.............StlE=.....~..3......;....I.@I.<...<..;....Y...u...P.....F.1p.^.y...f....P././}.....P.b/.J....?n.^"....S.1.}.JT...rS^t..5..X..["rL.<....$..K]`-)aq. ..1$.X..]... .9....k......v.../!....Vu.m.W.9G...us,3.....i.}..2.O8.t....j..mi..~..~'H&.....)......f..%...h.....i.f..0+.8.;....r&Y\..TO.E...!..n...t.h...KZ..K.L.i.h.,.;bm...`sS.~..\O.i.v!o.,..G.'...:=.Fn.x.b.E^r...j}.<.b.}....V..`M.Y\|;j,=....g.*..g....).Cw.eC.K...C...8nMc....P..[PP..Ghq..n.#..6j;.V..z..L.}..^.k.A......R....M.=}.bN\ty.3..c\|z.\./-E..^.P6..`9.8&xH.y..&...$.6...t........V..EZ.Cf...x...1oH>Y.....+..

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\NVIDIA_GeForce_Experience_json

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.0657682899193968
Encrypted:	false
SSDEEP:	3:4j46giWEcn:046BWEc
MD5:	23A56B3DBA64589852CD17E11CA111EF
SHA1:	FD6568661FC88695B76489727FB59734B2152427
SHA-256:	0415B8232791D3345042C516C9AF6F4FCACCFAD5D794FDAF1A15F0B34C77C3D1
SHA-512:	29837A72F9C7858C2DA38C2D69C64E98A531CDBF46D8EC7E92F608F917D93619AAC6B38DDD792FCDD8F654B51C7F6D6518F3CA120E7502AE8AFB979FEA015C59
Malicious:	false
Preview:	7C79727375763E747C7CFCD3D7619

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\NetDevenvSpeed.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	667648
Entropy (8bit):	6.655676024268379
Encrypted:	false
SSDEEP:	12288:G36HjCm6ltuRXQ/g+hVfW2LDzeLA5rJWutAWQSHOALXB:VCm6ltuRXKg+hVfWkDEA5tDuyX
MD5:	BA4ED2E6B25A8C9EDA3DA4CE85A5054D
SHA1:	C3B2EF12347E0C5206B4C3959FA96CD7F064F10C
SHA-256:	31370AB9ECAFEA8528D0C844C34B7721042C93A8E45278C4452B62ABAADE9182
SHA-512:	87C10EA2B82D79BD96CA453D808D937841A45CEE331E5914E5B9A7D6665BB41864D90E08E47F4000C1EEBC64F1E4035B010F545B2068B3604A7B8C87F1D30DBB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........xt..............a.......a..W....a.......l.......l.......l.......a..............l......l......l......l......Rich............PE..L....+.f...........!.....f................................................................@.....................................(.... .......................0...K...[..............................8[..@............................................text...cd.......f.................. ..`.rdata...Z.......\...j..............@..@.data....2..........................@....rsrc........ ......................@..@.reloc...K...0...L..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\NetSpeedLog

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	330752
Entropy (8bit):	6.280455055315828
Encrypted:	false
SSDEEP:	3072:x9LbnjzIPOmRM0KQfU9JwjvD2xCovPVZHuEi+e15HiEGPGqQiblLYEaZ4OYlYXo2:b928/BvNZ8NHd7ibGYuG9/31P+HvufI
MD5:	AF1EFD2EFED6CC982E4AD7E1C19DC057
SHA1:	88C72A225D8DF3AF56A69EFF41295624FBE821E8
SHA-256:	00E7F8BCF5A97ED5A4E16A03E50EDEB6C2CCACE498DA46753E56C9A65042552B
SHA-512:	D6876F27010EBD4C7C28F1A8B14EF41D7096B35402EF0B0196C379C5D130AE3C9F94DE63B70E5A0E62BA717B7A07B478D830DC5896BCBA721E5AE0D2BAC14A00
Malicious:	false
Preview:	..D.................................................................`..........................................................#...@...@...@.......@..$(...@..>...@..B6..3@..B6..@..B6...@..$(...@..$(..<@...@...C..B6...@..B6...@..B6...@.....@................................Lj.........4........@.........T........d.....................................................................$......P.........`....................T.....................................................d..(............................\....SF.......@...........................n...d...h...\|..............................Z..........................`.......................................T...............................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Ntvbld64.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	MS-DOS executable PE32+ executable (DLL) (native) x86-64, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	42976
Entropy (8bit):	6.2171815555231875
Encrypted:	false
SSDEEP:	768:iHfqCaczo/ZinYCOd9L9KyhaM7JubDGpZRKjKj9MPgkU7:8fqT/ZWY/L9l7JheMJ
MD5:	671F95CAB2B5CF121125413F250F5275
SHA1:	73D99D09A3D8978A5C6DB43CEC85FB43B03B7A26
SHA-256:	728A1FCDEDCA6DBD8FDDDE3F33CD64DD99853C26EF5B10D3FEF0D76D0480964B
SHA-512:	4AF690AF838CEB026636931AEDE3852EAE6D83881149EF4C28CC1DD032C3F7F6A64B30171C2524512FACD40496DAB305523D20637B44EFBF0D5805D0FAD1FFCB
Malicious:	false
Preview:	MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!.........`......................................................................Rich....................PE..d.....a.........." .....H...".................p..........................................@.........................................pV.......S..(.......h....p.......h..H?...........................................................................................text....F.......H.................. ..`.data........`.......N..............@...

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\OTGContainer.exe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5972392
Entropy (8bit):	6.868183225292118
Encrypted:	false
SSDEEP:	98304:ygUifEmDR4lEtsaowOSiL5f5aLbunw8Y6+15cmCSrw0sn/DVpFLOAkGkzdnEVom5:gifXD+Ktu75fu11CSrw0c7nFLOyomFHj
MD5:	06808B78BCC668E76A1F3B9589B985F2
SHA1:	07349BD4A98F70C0870802FCE91CE4F15DCB48AD
SHA-256:	4E560A33A3585F5F6DDD4674E8D8098B977BA3AE320ACDC4ABAC33B89CE17C97
SHA-512:	CED48BD909ACC1B4012A8FC56C8EE76CB0716611B9448465E8DE1670444C04E3B602D7F5A3AF66527EDF760DD10EAA12C68511CF1154B9B8A349D8D443B99EE7
Malicious:	false
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........B.{G#.(G#.(G#.("E.)o#.(..(F#.(.}.)D#.("E.)F#.(.z.)D#.("E.)C#.(\|}.)Y#.(\|}.)`#.(\|}.).".("E.)v#.("E.).#.("E.){#.(.}.)B#.(G#.(. .(.}.)M#.(.}.).#.(.}%(F#.(G#M(F#.(.}.)F#.(RichG#.(........PE..L......g.................Z1...).......'......p1...@...........................[.......[...@.................................@.<.X.....?..y............Z..U...0X.@y...a7.T...................tb7......b7.@............p1.\|............................text....X1......Z1................. ..`.rdata..2....p1......^1.............@..@.data...X[...`<......N<.............@....gfids........=.......=.............@..@.giats........?.......>.............@..@.tls..........?.......>.............@..._RDATA..0.....?.......>.............@..@.rsrc....y....?..z....>.............@..@.reloc..@y...0X..z...RW.............@..B................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Optimizat\plugins\Microsoft.VC80.ATL.manifest

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	376
Entropy (8bit):	5.187860451409661
Encrypted:	false
SSDEEP:	6:TMVBd6OjzIIBeBXVL9obRu9Td8gH9aO/5TMiX1+jSQdS1vwIgVf+ZaYf7:TMHdt4IBeBFLOwHR5TNl+rmxgVKaq7
MD5:	0BC6649277383985213AE31DBF1F031C
SHA1:	7095F33DD568291D75284F1F8E48C45C14974588
SHA-256:	C06FA0F404DF8B4BB365D864E613A151D0F86DEEF03E86019A068ED89FD05158
SHA-512:	6CB2008B46EFEF5AF8DD2B2EFCF203917A6738354A9A925B9593406192E635C84C6D0BEA5D68BDE324C421D2EBA79B891538F6F2F2514846B9DB70C312421D06
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>. Copyright . 1981-2001 Microsoft Corporation -->.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable/>. <assemblyIdentity. .type="win32"..name="Microsoft.VC80.ATL"..version="8.0.50727.4053"..processorArchitecture="x86". />. <file name="ipaip1.exe"/>.</assembly>.

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Optimizat\plugins\Microsoft.VC80.CRT.manifest

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	314
Entropy (8bit):	5.140999301390513
Encrypted:	false
SSDEEP:	6:JiMVBd6OjzPbRu9Td8gH9bZELrbvm/53SMiX6+hPABdS1FggVfgk5Z:MMHdtlwHHJ53SNK+hPIRgVR5Z
MD5:	710C54C37D7EC902A5D3CDD5A4CF6AB5
SHA1:	9E291D80A8707C81E644354A1E378AECA295D4C7
SHA-256:	EF893CB48C0EBE25465FBC05C055A42554452139B4EC78E25EC43237D0B53F80
SHA-512:	4D2EC03FF54A3BF129FB762FC64A910D0E104CD826ACD4AB84ED191E6CC6A0FEC3627E494C44D91B09FEBA5539AD7725F18158755D6B0016A50DE9D29891C7E5
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable></noInheritable>. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86"></assemblyIdentity>.</assembly>

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Optimizat\plugins\am.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	6669
Entropy (8bit):	4.733830185137714
Encrypted:	false
SSDEEP:	192:4c2LQ563O84ggqSdqfD6JngOvFfkxFfdpj8IY8YS3dRp79S7EO:pIEiKT5hTvWx11Y8YShhS7EO
MD5:	748E5EA71A607EA89B219AFC97052259
SHA1:	8677307E553474320A2616EABBC5534F42D100BC
SHA-256:	E481BA3734925C59839FDB29E5FB171F0DF0640A48D4C61C9CAA9F475D2ADE89
SHA-512:	49F78793C75A70502E43A138F762940149F536BB494473B1672A1E0E0C7BE2AA72337B3524EB0E4D5F0B60203711D87958FAB88F1404476BF779967350B00364
Malicious:	false
Preview:	..........N.....N.....N.....N9....NB....NH....NN....NT....N]....Ni....Nu....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....N(....N.....N:....NO....N_....Nu....N.....N.....N.....N.....N.....NK....Nk....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....N,....N9....N[....Nd....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....ND....NJ....NV....N\|....N.....N.....N.....N.....O.....O.....O.....O1....OD....OQ....OZ....O.....O.....O.....O.....O?....Ou....O.....O.....O.....O.....O+....O\....O.....O.....O.....O.....O2....OX....O.....O.....O.....O.....OG....O.....O.... O....!O...."O!...#O0...$O6...%OE...&OQ...'OZ...(Oo...)O....O....+O)...,O....-O.....OZ.../O....0O....1O....2O....3O6...4Ow...5O....6O....7O....8O....9O....:OI...;Oo...<O....=O....>OE...?O{...@O....AO+...BO....CO3...DO....EO....FO....GO....HO....IO....JO....KO....LO....MO...NO@...OOL...PO....QO....RO....SO...................... .... ....

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Optimizat\plugins\ar.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	6252
Entropy (8bit):	4.765802565676888
Encrypted:	false
SSDEEP:	192:8q+c4RnQTyZHZo/zjH26bojOpyuT/j8I8hi8v8hqCPC5/P5zn:8jYo5oLjH26EjOp/Mn
MD5:	1F9D7E57FE35D3A35FE49E6E2BAC8707
SHA1:	E6C4BCC56AE5742E7B825F489BF33B491970ABE6
SHA-256:	7522EF5C3E10BF279E777054D858955F1B9F63A39CCB408364C413E6E3D49A04
SHA-512:	489C79155C5E84702B58072E8A44C123D8F0C3F226A5073EAE343506A76D0E378418557DD29CEF8283425A46A248132CCB1F78E13C867829E399CB6EF17769F2
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N&....N,....N2....N8....NB....NL....NV....Nk....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N)....N:....NO....N]....N.....N.....N.....N.....N.....N$....N=....ND....NW....Nc....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N$....N7....N?....NX....N\....Nw....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N&....N0....NA....NV....O`....Os....O.....O.....O.....O.....O.....O)....ON....O.....O.....O.....O.....O(....Ol....Ov....O.....O.....O.....O.....O.....O2....OY....O.....O.....O.....O.....OS....Ox....O.....O.....O.... OK...!Od..."Ow...#O....$O....%O....&O....'O....(O....)O....*O....+Oz...,O....-OC....O..../O....0O<...1O....2O:...3O}...4O....5O....6O....7O....8O....9O....:O/...;ON...<O....=O....>O....?O+...@Oc...AO....BO8...CO....DOS...EO....FO....GO....HO....IOC...JO\...KOm...LO....MO....NO....OO....PO....QO....RO0...SO:.....l.................. ..... .. ... ....

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Optimizat\plugins\bg.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	7220
Entropy (8bit):	4.592203217648416
Encrypted:	false
SSDEEP:	96:eOu4nxWcR1emdX4DRkw0UzNAHSZwIQshZrlLBXWeOwg6lz737RC:HScRkB6WmSZRhZiePlzz70
MD5:	6E09177086163D64ED7AB890D70CFDF3
SHA1:	87B7FCA47DA5BAE28C7182A221E923588EBEADF8
SHA-256:	B0E8F4379AA7B1CF11C196354C6C0212558B1E5BA20332A34F30B5263D4B1EA9
SHA-512:	48191FBA9308E58CE482193CAB4DEA032A37136D6F1D1132B45D0894B18EA3B5BE330BBF9FA61CF2C5BC711B371D53430554BAF103CEC027E6026E5F27A292C5
Malicious:	false
Preview:	..........N.....N.....N.....NI....N]....Ne....Nk....Nu....N.....N.....N.....N.....N.....N.....N.....N.....N!....N.....N;....NH....NU....NY....N]....Ne....Nw....N.....N.....N.....N.....N.....N9....N.....N.....N.....N.....N.....N ....N4....NZ....N.....N.....N.....N.....N.....N.....N.....N.....N<....Nd....Nt....N.....N.....N.....N.....N.....N.....N@....NL....Ny....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N:....OH....Oj....O.....O.....O.....O.....O#....OB....Oc....O.....O.....O.....OS....O.....O.....O.....O.....O.....O:....On....O.....O.....O.....Oq....O.....O.....O.....OD....Oe....O.....O.....O:... O....!O...."O....#O....$O....%O....&O....'O....(O....)OP...*Ot...+O....,O....-OO....O..../O....0O`...1O....2O4...3O....4O....5O"...6Od...7O....8O#...9OR...:O....;O....<O-...=Oi...>O....?O....@O....AOy...BO....COw...DO....EOw...FO....GO....HO....IO....JO....KO....LO+...MO9...NOC...OOU...PO....QO....RO....SO......4........................ .... .....

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Optimizat\plugins\vd.ico

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	MS Windows icon resource - 9 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	25214
Entropy (8bit):	4.526069485099958
Encrypted:	false
SSDEEP:	384:eLpEC0qWDnDjVSV/+/CB1+n2GHOMmM5H6:1C+Sp1QdHOc5H6
MD5:	9946B791C261BA0A4CCF6E46F7B54546
SHA1:	3082E44F89AB9CD5ED1705F0470A33D1279D2A67
SHA-256:	62729E6D23D8DD347ECCB5B9D292A089ECA582694082EB8F1DDF55E9AE18B0C0
SHA-512:	A2C11556486E5F1B417F61ABCDA1BB3B064CD29515DDD0CF94985E24043D2F1483E74938711290A3FD681157F2559ED719B30B367481D81B41E01676E84DC03C
Malicious:	false
Preview:	......00......h....... ......................(.......00.............. ......................h...^"..00.... ..%...'.. .... .....nM........ .h....^..(...0...`.........................................................................................................................................................................................................................................................................wwwwwwwwwwwwwwwwwwww....................................................wwwwwwwwwwwwwwwwwwwwx...................................................wwwwwwwwwwwwwwwwwwwwx...wwwwwwwwwwwwwwwwwwwwx...ppppppppppppppppppppx...........................................w.w.....................ww.p....................ww.p....................w.w.........DDDDDDD@...............tDDDDDDDG................GwwwwwtO................GwwwwwtO................G....wtDDDDDO...........`....wtdDDDDO...........@....p.GwwwtO...........`....p.gwwwtO...........@....p.G....O...........`....p.`....o.......

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Optimizat\plugins\version

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	F1D3FF8443297732862DF21DC4E57262
SHA1:	9069CA78E7450A285173431B3E52C5C25299E473
SHA-256:	DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119
SHA-512:	EC2D57691D9B2D40182AC565032054B7D784BA96B18BCB5BE0BB4E70E3FB041EFF582C8AF66EE50256539F2181D7F9E53627C0189DA7E75A4D5EF10EA93B20B3
Malicious:	false
Preview:	....

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Optimizat\themes\ca.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4447
Entropy (8bit):	5.418213783438325
Encrypted:	false
SSDEEP:	96:cqGYHvAfKA/nFGBlyL5tTIYOBcZbISSZrJz94IvXqUQEQ6TH3Hzniv7:cQgrnwPyVCYOCZ8BZrJz94IvXqUQEQ4I
MD5:	DA44E0F806463B7F0D3FA8C93A4E50DE
SHA1:	DAE138775B448187C099EB4C6EEE463E4CD47E84
SHA-256:	FF4CBCFEBE833E21C37A02C04257FDB2369E42E3BE18DCF75335333A06EA789B
SHA-512:	9E8BD23F668BF312817592445C9E2BFC2CFDCC2BEF47DDFE711C750409CEE5855F2E9AFD96DA4F3F4B5E7C92A8C4C675AF45389A40C3033F73453971BD358C3D
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N!....N+....N9....NJ....Nb....Nl....Nu....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....NC....NY....No....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N'....N;....NI....NW....N^....Nq....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....O-....O2....OK....Or....O.....O.....O.....O.....O.....O.....O.....O'....OC....O`....O.....O.....O.....O.....O.....O.....O.....O.....O/....Oa....Ow....O.....O.....O.....O.....O9....O[....Oy... O....!O...."O....#O....$O....%O....&O....'O....(O....)O....*O....+O+...,O....-O.....O..../O?...0O~...1O....2O....3OB...4Od...5O....6O....7O....8O....9O....:OY...;Oo...<O....=O....>O....?O....@O....AOW...BO....CO....DO(...EOu...FO....GO....HO....IO....JO....KO....LO....MO....NO....OO....PO....QO)...RO1...SO;....._...DetallsDesa.s un .ndex on es poden realitzar cerques. Intro

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Optimizat\themes\cs.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4278
Entropy (8bit):	5.761351246793285
Encrypted:	false
SSDEEP:	96:0CLGsy4GgACuoiU4CJeDof8QQgWu6/K3eVeRl2c0cLeI:lLTy42oiJQwof8Qcu6y3WWr
MD5:	E160C8912A6E73BD4CD2544A9F3C3974
SHA1:	E46EF68F3113BD36D40635C76452445F7D359F39
SHA-256:	C01E38999FE2C1F98B5429BD550AE8A9F15F10D09D41EFFF8F3C7F4F1F66209C
SHA-512:	7CB2E47F945705DFD0030B28BD62709361DFD17AA925C68A85B34DDEE0584307C2FA918EC4B1443C2181578AFC6CD64878AADE25A469CDB2F0C45237682F35A0
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N'....N0....N=....NK....N[....Nn....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....NG....N_....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N7....N@....NP....NU....Nd....Nk....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....O.....O%....O/....OL....O[....Ol....Op....O.....O.....O.....O.....O.....O.....O+....OU....OY....O^....Ot....O.....O.....O.....O.....O.....O.....O.....O:....OO....Ow....O.....O.....O.....O.... O....!O0..."O;...#OA...$OH...%OO...&OU...'OX...(Of...)O....O....+O....,O....-O....OW.../O....0O....1O....2O2...3O\...4O~...5O....6O....7O....8O6...9OQ...:O....;O....<O....=O....>O....?O(...@Oc...AO....BO....CO0...DO~...EO....FO....GO....HO....IO....JO#...KO*...LO6...MO?...NOI...OOR...POp...QO....RO....SO..........PodrobnostiUlo.itToto je prohled.vateln. index. Zadejte hl

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Optimizat\themes\da.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	3875
Entropy (8bit):	5.465278759668329
Encrypted:	false
SSDEEP:	96:znbLo2urHRFWbiEP15P4q7GL8cyScTs3DhDU/EZ87s:3/udeiy5P4q7i8cySes3tw/Ed
MD5:	25A5E506C8A0C64D9B9E08AAAC9626E6
SHA1:	82F8D1E8CE364694F03C5133604F72C2608B8924
SHA-256:	229DA0D16A7FA0BFFD67B78F2F76734C7EA2129A15CE95DA9422775B4E9835CE
SHA-512:	33F86B51BE09DCFEC6B9064E5906EC782C5AF9DFCC727A2A7E4BFE5FF6908AF115E5937EC7CF2BEDF103FFA1A941D340D2C0F2E13F8447FCDE1CD649E9A936BA
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N+....NF....NN....NV....N^....Nf....Nn....Nv....Nx....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N....N:....NA....NG....NR....Nb....Nu....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N1....N7....N>....NJ....NS....NV....N[....Ng....Nj....No....N}....N.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O:....O`....Oo....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O$....OD....OU....On....O.....O.....O.....O.... O....!O...."O#...#O+...$O1...%O9...&O<...'O?...(OI...)Od...Os...+O....,O....-O.....OQ.../Oq...0O....1O....2O....3OC...4Ol...5O....6O....7O....8O....9O/...:OZ...;Og...<O....=O....>O....?O....@O....AO2...BOm...CO....DO....EO[...FOg...GOk...HOv...IO....JO....KO....LO....MO....NO....OO....PO....QO....RO....SO......#...DetaljerGemDer kan s.ges i dette indeks. Indtast s.ge-n.gl

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Optimizat\themes\isolinux.bin

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	isolinux Loader (version 3.82)
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	7.08359030184487
Encrypted:	false
SSDEEP:	384:Gh5TvIzjLaWhV12sPtZK7zVi8vnKnjPlVzjzmtInQt//:Gh5DI/LfnC7zQ8z02//
MD5:	7EC434DAFE56FBFBBD9F609A8E51ADF1
SHA1:	31EB96F0B7EEB6D3972D735F20C18A4DEB425942
SHA-256:	E9A4817AB449A50364B0DD33425BDC596D222C1792A460831F87487439385E32
SHA-512:	454920BCCD663FA585E1954A320616BAD5061EB03886E284284796F9D3A2079D3ED019AD9AF6E381CF647CF27ED0EA8C098C6399479B2091BD49B472728C13F6
Malicious:	false
Preview:	..w\|.............8...Wa......................xpY....)....)Z_.f1.f1...\|s.fXf[.f..).f...).@....D....<...&.)....)1....{.W..........6.)f..f..)......6.)...f1..@\|...f.f....f.>.)...)..).!.f1..f....)....)...(...8...F.>.)<.u...K...)..).........)8..)....f.>.\|.u'f..)f!.t.f..........f.G......f.(.f..\|f..\|f-....f...f..)f.....f.....)f..\|f@.@...1...).Q........f...)f.>.)&f.f..fIt.!.u..........f9>.\|t.........O..........\|.............f.L.f..}.......1.W..}...._..Gq..f..}f..t(f.L.."&f.E..f;..}t.f.L...K...)..)..r......`..K..)....~.ar....U....p..M.8..)u.....A....).....)8.t...8.t.J...s....)...r..!.......3............\......PV.3....^...X....f.f`..1...faf..U............F.......]......&.)f1.f....f...f...)f...)...U...f......fRfP.SWj...f`...)....B...fa.d.r.]f..f...)......!.u..f`1....).{.fa....):.]..f1.f...f...)...fRfPUSf..6.)f..>.)f..1..f...I.).9.v......A......)......f`...far.f......[..]fXfZf..).u..Mu...H.u...;.H.v...H..(.\..D.f.D.U;.J.v...J..l.V...).B...^]f..D.

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Optimizat\themes\ovf-vmware.xsd

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4056
Entropy (8bit):	4.424470799098464
Encrypted:	false
SSDEEP:	24:2dd8puSF899zzcmOlkkXsxPxPxSlptWeWOy/EpgbJMxPxSa7cRtaDeH0iBD88Epc:cd2VF+kXsolPWeWONgPRRtWeHGsUgcBg
MD5:	9392A998B91E7C12F20FE8ED0D7C7610
SHA1:	19C90803DB690AF45D7E6F8F8B1C7BD41F71A2CA
SHA-256:	662B3AB8423F4E5B05061B88CCA8A134A50799D6DE0CEC8977F46749A89E0FBE
SHA-512:	EA15C2FCAB591A384265EE726925CE3D07BB2E8DE79BDA7A6F203A54FBA2441FAABA4EA6925242B2D84DE76299CB99B2DB8B62149F405F86BD2C58609BE605A1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.. .. Copyright 2008 VMware, Inc. All rights reserved..... Remark: The OVF Specification 1.0 Annex D defines a set of relaxations on how .. this XML Schema 1.0 definition is to be interpreted...-->..<xs:schema targetNamespace="http://www.vmware.com/schema/ovf".. xmlns:vmw="http://www.vmware.com/schema/ovf".. xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1".. xmlns:xs="http://www.w3.org/2001/XMLSchema" .. attributeFormDefault="qualified".. elementFormDefault="qualified">.... Include and import sections -->.. <xs:import namespace="http://schemas.dmtf.org/ovf/envelope/1".. schemaLocation="../DMTF/dsp8027.xsd"/>.... <xs:element name="IpAssignmentSection" type="vmw:IpAssignmentSection_Type".. substitutionGroup="ovf:Section">.. <xs:annotation>.. <xs:documentation>Element substitutable for Section since.. IpAssignmentSection_Type is a derivation of Section_Type..

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Optimizat\themes\ovfenv-vmware.xsd

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2951
Entropy (8bit):	4.309681188440056
Encrypted:	false
SSDEEP:	24:2dX8QSF899Szc42+lkkXsxWCGRPxSHnSEIHkyspXuKEpsZEpgcBg:cXEFckXsQeHnSEIHkysNEsUgcBg
MD5:	FB0DFD7CE4E12DBC2CEDD5CEA0FAE216
SHA1:	FA8FCB791F89F0CF170C58AF74626BCE6F9DAC9B
SHA-256:	7AB54BD0D58AE49A735FF551E260DCDE51CE28CF591580BCC150C4F15641C39E
SHA-512:	250B1290349D8D10A609E027DD3EA3CDF21BB40A7457FCE94294327DD92EFC957628AE735D44498328489A741209C09C7B0C7CA8822251B2D30A17121A74A549
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.. .. Copyright 2008 VMware, Inc. All rights reserved..... Remark: The OVF Specification 1.0 Annex D defines a set of relaxations on how .. the this XML Schema 1.0 definition is to be interpreted...-->..<xs:schema targetNamespace="http://www.vmware.com/schema/ovfenv".. xmlns:vmwenv="http://www.vmware.com/schema/ovfenv".. xmlns:ovfenv="http://schemas.dmtf.org/ovf/environment/1".. xmlns:xs="http://www.w3.org/2001/XMLSchema" .. attributeFormDefault="qualified".. elementFormDefault="qualified">.... Include and import sections -->.. <xs:import namespace="http://schemas.dmtf.org/ovf/environment/1".. schemaLocation="../DMTF/dsp8027.xsd"/>.... <xs:element name="EthernetAdapterSection" type="vmwenv:EthernetAdapterSection_Type".. substitutionGroup="ovfenv:Section">.. <xs:annotation>.. <xs:documentation>Element substitutable for Section since.. EthernetAdapter_Type is a de

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Optimizat\themes\sample.flp

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	DOS/MBR boot sector; partition 1 : ID=0xda, active, start-CHS (0x0,0,1), end-CHS (0x0,1,18), startsector 0, 36 sectors
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	6.703256936166348
Encrypted:	false
SSDEEP:	192:YaPUesFIxeyrsMBe1MlsBc0GLGEiyXYmWhFdrNkv:baIFrXaMlsBmLG/mcdJkv
MD5:	1F4E9B9C3E5AF1359BC440FA99573F8B
SHA1:	0A710D1776F0687170B7D547C1D70354D6BBA548
SHA-256:	9FA0E91FF06B33614AEE00BBBBE5D4104D153B8933650D44F9A2B9D07B60E9B6
SHA-512:	38B9E7FD9C7EDC8EC89E3811C5E8D09A22E42CB9C734FE0C4AE7A4E8E60C063AE965BC6FF61AC398D5B8D8D9EAB0D6E40EDF82BC953F82542DC2890E06BBAADB
Malicious:	false
Preview:	.:\|..............OQ..............T .......METALKIT . err!..1....... ...}..$..r%.(\|...B...}..}..s.......}...}..(..s..4\|............h}. .f...."..\|..f........(...=.}..........}...$.....}....5.}...u....}...=.}......\|........f. ......\|..... .f....".1.....W\|............t............... ....."..3.....f...............1...:........f.(................./.h}..........................................@./.h........(......................................$...................................................U.U..V.....S.......@..A...Q...........Q...............f.Q.f.Q..Q..Q.B....Q.u$.Q..A..B.. .Q.u..Q..A..B.. .Q.u.1......t..E.f..f.E.f.A.....@[^].U1...WVS.........f.U.U.....$f9].u.f.E.f9E.u.f.E.U.f...E.B........'.....u...[^_]...U..S.....Y..........I..........................................A...!.[].U..V..S..........A...........A...............f................D......f.[^].U..].U...1.t0.............. ....f1...... ...P.Bf..`h.@...@...X..@.\|$...@.t$(..@......@...a..@.

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Optimizat\vmPerfmon.h

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	789
Entropy (8bit):	4.653194488836456
Encrypted:	false
SSDEEP:	12:USn008/bwUkyyjdGVDNKQ/aHvjkjTyHDmtFQK02DqGn:JD8cxrsVD4AaH4jTUWKkqG
MD5:	2FF22231C5A295A9EFC4633B5E979F3C
SHA1:	F5079F304DD332003F2FFFD6164748891E23C7A2
SHA-256:	FBAF23FF758CA026C8AFB4BA17CA4A75602B561A32C2B82193D55FF29D963884
SHA-512:	617B190EB0FC7B2D84AA00E1E57FDC1A360AD6C2C22CC85F0108CD9164F8CE2C00ADA612A2E848387A7701FE8019E66B6D8062F9799B3F90BE60624210A40ABF
Malicious:	false
Preview:	/* *********************************************************.. Copyright (c) 2003-2007 VMware, Inc. All rights reserved... * **********************************************************/....#define OBJECT_1 0....#define DEVICE_COUNTER_1 2..#define DEVICE_COUNTER_2 4..#define DEVICE_COUNTER_3 6..#define DEVICE_COUNTER_4 8..#define DEVICE_COUNTER_5 10..#define DEVICE_COUNTER_6 12..#define DEVICE_COUNTER_7 14..#define DEVICE_COUNTER_8 16..#define DEVICE_COUNTER_9 18..#define DEVICE_COUNTER_10 20..#define DEVICE_COUNTER_11 22..#define DEVICE_COUNTER_12 24..#define DEVICE_COUNTER_13 26..#define DEVICE_COUNTER_14 28..#define DEVICE_COUNTER_15 30..#define DEVICE_COUNTER_16 32..#define DEVICE_COUNTER_17 34..#define DEVICE_COUNTER_18 36....

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\PSpendZ.exe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	289448
Entropy (8bit):	6.451290476474314
Encrypted:	false
SSDEEP:	3072:K/kvkbvka2pVtwouW9+DZUFIPcpGwDmXsBvpRyAHa0MiZUFw/oPACa337yGTkSEh:K/CkboR5INUR94GhnO6g1Co/
MD5:	DF3D77D41EF28027B3069D39F9EE9C79
SHA1:	0DFCF31AD455ABD48D35B0250B5B03265052FBA6
SHA-256:	02EC8C37DD946A2CD74673993C2108F12FFF3E82019A1590231C4205CCB2F0D4
SHA-512:	FF9168421EA2E0B56ECE4DF777B1FA3605CBB4AC81D1C81CF2491A5C197BAF67C47BA4D1D767C5C272A8F3CFA46B169234D19B98671FF6AD8F7A092F51E9378D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............`.D.`.D.`.D.2PD.`.D.2oD.`.D.2nD.`.D.`.D.`.D...D.`.D..nD.`.D..oD.`.D.2TD.`.D.`.D.`.D..QD.`.DRich.`.D........PE..L...m.rW.................P...........t.......`....@.......................................@................................. ........p...............,...>...`..L.......................................@............`......\...`....................text....O.......P.................. ..`.rdata..h....`.......T..............@..@.data....7...0......................@....rsrc........p.......,..............@..@.reloc..L....`......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\PackageMgr.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	107120
Entropy (8bit):	6.416041804489009
Encrypted:	false
SSDEEP:	1536:ABHJ2sevEPtUiDHPsG78SkqRsEKk2UaWD+Ug1phiaeBvNdiizK3xg+rd3XjxxyhS:eHAR6tHDp/acgrItvNdiizK3xg+FXOS
MD5:	773D6EC38151B301FB8E45B4043E2E9F
SHA1:	475A42DD7FF0417D6826187F37AA3B5FFA65AE50
SHA-256:	E15E52A68BA167C0E6683EAFA3102079BBD0262EF5BF1005FE5A3B492374F66A
SHA-512:	FFDEEA69581B7C25CF5DC83A9803E94AB83D6C19254F5DE474240DAD3B630386D8D401B7A5EA25F97B1BF068D95266D53AD6324362E7CF94B1F326DAA9B5A1EF
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......L.,7.iBd.iBd.iBd...d.iBd37Ae.iBd37Fe.iBd.0Ge.iBd37Ce.iBd37Ge.iBd..d.iBd..d.iBd..d.iBd.iCd.iBd.7Ge.iBd.7Be.iBd.7.d.iBd.i.d.iBd.7@e.iBdRich.iBd........................PE..L.....3b...........!................(...............................................&.....@..........................=.......>..,....................p..p2......$.......T...................d...........@............................................text............................... ..`.rdata...P.......R..................@..@.data...$....`.......:..............@...minATL.......p.......F..............@..@.gfids...............H..............@..@.tls.................J..............@....rsrc................L..............@..@.reloc..$............^..............@..B........................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Ptuity.plx

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	14368
Entropy (8bit):	7.98674225179823
Encrypted:	false
SSDEEP:	384:mfiQ1WgVWzXqM0ds2aRzJN171WYxDdI8JOknz9L:CiQ7YXq7W2CNvRtvOkn5
MD5:	0AC8B2270BBEAA290D2DE02034EB9FB2
SHA1:	068C54981B3DE9FC5C8796E5BA669B0AF861061F
SHA-256:	DE2576040D397D5E9160C340C77261D824D1F7DF837C5053B7D94357154623A1
SHA-512:	61B637395C7ADAF7068DB7E784F3BF2511A93E3A8D7B25B0C5A9A7DDA4D3157F735403CBE542A40E0C328695C8913276D8D62C80F1DBD7AD3AEADE7FC302B1F2
Malicious:	false
Preview:	...Y{.B....&...oy.}..F{...z..H'..."..x...... .(_.L./.5.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n....&>..../.f.]..u...(]...M..$.#tl{.L.R...Nx.....J..2...h.e!Z=.r.Y.._.U..s..v.T.4.JQx2.._F3.+........j...V..-c\|vO.%r......d../.g.}s..!..<K.1#...OeU. ;!N..n..G..k..N...).y`~!.....Z'.d..$...-.r..z...y......>>w.... >28..{..-.l......Nv..x..#m........l.1.8..$_.......\..m........x.]f..C..Y/.(qGC.3..N.`.!(..m.C...=.<.../.P:.Zf^.dm...+.3..V.....^.D.......[K.$...E.....E.b.~.:....=Xz\..J.....uG.LWA.`p...N.ze.P.R.......U.>...{p^...;A.Rj......L.......Dcx/@}-....... .~....2'...m..>....@.`..8Km.X.N..rs....r.Z..g..h......P.~.."v.7...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W...h..!..,.q .Q.w./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Ptuityoosty.plx

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	7.9367090246788425
Encrypted:	false
SSDEEP:	24576:Tr8E5sAimSPU1zOttYCqgScnHAVPfcp9L30MphcNsV4C1FB8HZQNZf+RI4nDRK6y:TiAiEO3XScg5fqr0UwJC1/85QNxsnDRM
MD5:	0E472FB7BDE069AFCA0512F32104F1C2
SHA1:	1112EAD3CDA796FDE569D1EB3B767EFCDD95DA0A
SHA-256:	F2C2C19DA028F0F6426D4C3EF12AC936F2BFF11C0EA7556E173701EAA43F602B
SHA-512:	5C5061708E7F4F90B7CD4CA3DB232FD513FF002165457A4441FE31333C5D6EAA86598B250EB2B71450FC6E3D3D37A85403BEE7973049D465148F8B4CC3B976C0
Malicious:	false
Preview:	..8.888.888;;88p8888888.88888888888888888888888888888888888.988..~.8t.M.p9.M.........................................8888888p6!U<...<...<.......=.....P.0.......:.......:...Nu..7.......:...<.......^./...Nu..~...<...=.......;......<...888888888888888888888888..88.9.8z..88888888X8.9.9.888.88.888..8...88..88..888.88.888.88.8888888.88888888..88.888888.88888.88.8888.88.888888.888888888888..8..888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888....88888..88.8888888.88888888888888.88X....888888.88..880.88.88888888888888.88X....88888.888..88.888<.8888888888888.88x8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888....8........

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QMAVProxy.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	99952
Entropy (8bit):	6.458473763443854
Encrypted:	false
SSDEEP:	1536:ZAUmWga/j5/IEHE2BzIfjwpDvdxeR1Ay01A4F1519hTnZmjjxy:jm+JrHElE9SRuy0hFX19hTZmM
MD5:	D902AF6BDCB8F3D47CC7A26B7F5AF840
SHA1:	B42E2C429F60551CAFDD92F5024DA7EDEC1270EB
SHA-256:	ADD79DE18ECBDEEC06D9765B2308FDBEAB3F788382A07D6235B614CA58BDA2B8
SHA-512:	1D55DC22AD3317622C3AE502B4B329B25DA6EB03D5FE8D2F4F7319110A196CDF08BD5E5DBB6322D6FC12B3C4472C629F9F64523FB23928E0433F96D0C8098911
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...J...J...J.......J...N...J...I...J.g.....J...K...J...O...J...N...J...L...J...K...J.ys....J...K...J...C...J...J...J.......J...H...J.Rich..J.........PE..L...!8.d...........!................1...............................................v.....@..........................;..T...T;.......`..`............T..p2...p..t...4...p...............................@...............0............................text...%........................... ..`.rdata...h.......j..................@..@.data........P.......8..............@....rsrc...`....`.......<..............@..@.reloc..t....p.......@..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QMDns.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51312
Entropy (8bit):	6.588801090147588
Encrypted:	false
SSDEEP:	768:gmaAkOI8/UgAXuuMnw415frUK5yPPTnDG3318RU7yw2MvZDGjENAMxaJ:gmPNN7wU5frbcba318aJjjxaJ
MD5:	BF125A12E9CE8568AADD6A9EE11C696D
SHA1:	4B8CF25506F5729D485171DECAA152B32EF2AFBF
SHA-256:	72C9E45E029115541AEBA55243BED56CCB5E594E50CE26DEFDE76D35B5B892C4
SHA-512:	B2FDCE478034312D7C7911F83E5A56DA505F9D5FF351CA74A8718B4256BB91DCBF341A268349DC992C7232A9B012BD986224BD650F7141261F8D38E9DCC43318
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T...T...T...].f.X......._.......W.......B.......P....;.U....>.]...T..........v......U......U......U...RichT...........................PE..L....1.d...........!.....H...R......7L.......`......................................qi....@.........................`...4...............X...............p2......p...p...p...............................@............`..d............................text...3F.......H.................. ..`.rdata...7...`...8...L..............@..@.data...\...........................@....rsrc...X...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QMOfficeScan.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68720
Entropy (8bit):	6.476827488476942
Encrypted:	false
SSDEEP:	1536:rNxdo/OeIYU50Jl3otHM89BiAM6rOmPW9AyjIWxX:do/OeIl+3qcgrOmPW9PP
MD5:	1F8AC5270B7A995CAE3E93D2CFDE7AD8
SHA1:	91E2A971D4550177985D4BA762F8739C150715E8
SHA-256:	262BD0F69043D2BB3B4ED49F9F2A6F8EF6F4CC74F4F6277ED805C1C427703D69
SHA-512:	3A36A5477E9FB35DBE3FF134A22F3335EB032DE1BE970DF23507DE3D75E1F4FE630BBB214E190942F54BAA6B5438801B9CCB967D8EBFD6A2C05D6444E460A147
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X.I.6.I.6.I.6.@...G.6...2.B.6...5.M.6...3.S.6...7.M.6.....H.6.....X.6.I.7...6...?.o.6...6.H.6....H.6.I...H.6...4.H.6.RichI.6.........................PE..L....9.d...........!.....z...`.......w....................................................@.........................`...................H...............p2......$......p...........................8...@............................................text....x.......z.................. ..`.rdata...F.......F...~..............@..@.data...............................@....rsrc...H...........................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QMOfficeScanX64.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	48240
Entropy (8bit):	6.205257629860353
Encrypted:	false
SSDEEP:	768:Xfk00NEhiovWIspv9VxuNF8IQYdUt3WvXw2MxfDGjENAMxoV:PkjzvAvu73WvgjPxoV
MD5:	F17C5A63BCFA4DE1CF991D617C2DC104
SHA1:	8F683A2A11A9D7A3F8B0AACB354FDDD58B753FE3
SHA-256:	19ED59874BD4D2892B995FDB6B2E8EBAFC61CC3B86DFC164C14FA229C323D11F
SHA-512:	549EC7876616C09EABE4BB509EBBC1D242AC9349717B560A2D6EBCE18407F57950E1B2A1FEAF40F0138E8AB692C681364403044062D49574B4AB930F2AC46A29
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.OK/r!./r!./r!.&...%r!.}. .+r!.}.%.'r!.}.".+r!.}.$.7r!.....r!....$r!./r .Br!...(.)r!...!..r!......r!./r...r!...#..r!.Rich/r!.................PE..d.../;.d.........." .....B...J.......C....................................................`.................................................<...........H...............p2...........o..p....................r..(...`p..8............`..p............................text... @.......B.................. ..`.rdata...0...`...2...F..............@..@.data................x..............@....pdata...............\|..............@..@.rsrc...H...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QMRtpDLL.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	82032
Entropy (8bit):	6.502617592778617
Encrypted:	false
SSDEEP:	1536:tqLV7ilAnpMNT2pttBqCnwUnFj3frYmlmjO3Bxk:tqLjn6NT2pZqUwUnFjvrYDC0
MD5:	AFBA05F77ABA8D0EF3743CC597BA6422
SHA1:	B3E65B7D21E3F634C6A5314DCCB1BD79DDBD6AA9
SHA-256:	4351E881248AD1916A5D9295A9F99623EAD0A6A3FF2846D57E1FE8437DB42908
SHA-512:	790DB66C351EEC01F990E6A308E7BF87DC00F3A13E60CE67744103D5DC127048A33A26FB155765D57F4A58BA58049B074529AC2BDDB0B10ECC942DF1E71C8BDA
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........=D..nD..nD..nM.pnJ..n...nF..n...o@..n...oO..n...oG..n...o^..n.F-n@..n.F3nE..n.F(nK..nD..n...n...oi..n...oE..n...nE..n...oE..nRichD..n........................PE..L....:.d...........!.........h...............................................@............@.................................d........ ..H...............p2...0......4...p...............................@............................................text...%........................... ..`.rdata...I.......J..................@..@.data...t...........................@....rsrc...H.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QQFileFlt.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	38512
Entropy (8bit):	6.63865944335788
Encrypted:	false
SSDEEP:	768:ROudp8AfRjP9W9R/AdFwJQw2MS1DGjENAMx5fp:JrRxWUdFwRjSvxj
MD5:	80C42D60E8E5F97E6F29A914150D34C7
SHA1:	54FDFA7E0DB4E709A07E582BD974AA9AD06B9C04
SHA-256:	4314566DA8C6C4D37EFC255618C8CABE18EF980D6076D7EDF7B78F15C7730D3D
SHA-512:	EE677AF29CD627759F37E8650BDBB407D210E09701989AA5ED6D5E0791E8228456F9224BA554B50676AB01EC1625591CA1E69E96E2A1008E58D3A992BA24ABC8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.].}.3.}.3.}.3.t...u.3./.2.y.3./.6.h.3./.7.v.3./.0...3.q..u.3.n.~.3.}.2.'.3...;.s.3...3.\|.3...1.\|.3.Rich}.3.................PE..L....8.d...........!.....4...0.......1.......P............................................@..........................h..0....i.......................d..p2...........Z..p...................@[.......Z..@............P..P............................text...+2.......4.................. ..`.rdata..."...P...$...8..............@..@.data................\..............@....reloc...............^..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\QQPCHwNetwork.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91760
Entropy (8bit):	6.449961906479072
Encrypted:	false
SSDEEP:	1536:/h8aLCYzTrw9hR/+d4HbQK8k7InMbR5RaIafYqm3Zuhljbx3D:/h8aLCYznw9hR/+d48dnKRaIajcZuhll
MD5:	247B43CE661A47B1329A35A3D5F5FB59
SHA1:	75405D9268663F9547BDD758ABACE7D07D10C2A1
SHA-256:	46D71363500E78A43DEAF56FBE1607285CB337084DFFE9ABEADE17666825C545
SHA-512:	5BD470FA2479D5C4D3B49EE8475C37AA47F34CD57846AA0D22CC27B3019E605E963296DBE6E8552C6A9A3E2D4E47A5A7ADA8A3061AFB83747455916885573F89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........o...<...<...<.b<...<...=...<...=...<...=...<...=...<8.?<...<8.:<...<&..<...<...<...<\..=...<\..=...<\..<...<\..=...<Rich...<........PE..L....;.d...........!.........`...............................................p.......G....@..........................%..8....&.......P...............4..p2...`......(...p...............................@............................................text............................... ..`.rdata...A.......B..................@..@.data...8....@......................@....rsrc........P......."..............@..@.reloc.......`.......&..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\RX.EXE

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24625
Entropy (8bit):	2.1913074792015905
Encrypted:	false
SSDEEP:	192:0pZKBb0SBUozYHfSP/5udU97DCHoyBD9j5RMWFHYWM:0pKI3o9aU97DGXfRMWFHYWM
MD5:	1480674D407376829CEA3BD86B10A06A
SHA1:	134E75134772DA95E8995DCDCAA382059F07B72E
SHA-256:	FC4B39808E66ED24F937B2793A7C09E0BDD063A823AA35EBE7E02B3C4FBE21D8
SHA-512:	3F2682AE9B2653FC43C97EA95A9419F10E343FA0F2269DA9A19DC4968C4251F371716BB526895F4FC57D1BC55307B88DE8B4C89974500CDE030C28ED662755A2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.../x../x../x..Mg..-x..d...x...g..$x../x...x...g..,x..~...x...g...x..Rich/x..........................PE..L......5................. ... ...............0....@..........................P...... ........................................ ..V....@............................... ..T...................................X...0....................................text............ ... .............. ..`.data........0.......@..............@....rsrc........@.......P..............@..@?..H.......I#...........MSVCRT.dll.KERNEL32.dll.................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\SresoBooster.ui

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	134912
Entropy (8bit):	7.903190714655621
Encrypted:	false
SSDEEP:	3072:G+S64yszRE14/aow6SskMB91xWkBzfq08wO4CIuMDlhwrE:G+L4Hztyo2EcXRnlSwrE
MD5:	DAD749BB9D49A7A894FF337D2393C6D9
SHA1:	7F55DDF8DB301DF2410BB1D279D43644E7EA4938
SHA-256:	D78589AF06AB8AA150854CD2644B1BDB076FC6B6235A5F9D83CC25BEF8FDF754
SHA-512:	65204C7ACBDEEAB8040612F4918032DE5970525EEE6ED33792D3FC7C136AF3945544A215FC59C498814D4EA10B2BBDEC9C394950C67ADE834A5419C95BD2272A
Malicious:	false
Preview:	...hehhhdhhhiihh.hhhhhhh.hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhghhz..zh..;..g.;.................................{{~.hhhhhhh.?_.......?n.....v8e.....B......J..a...J......J.....v8d....v8t..........J..`...J...........hhhhhhhhhhhhhhhh..hh.geh(...hhhhhhhhHhfg}g~hhhfhhxhhhxdh.rbhh.dhh.bhhh.hhxhhhfhhchghhhhhchghhhhhh.bhhdhh1.fhfh..hhxhhxhhhhxhhxhhhhhhxhhhhhhhhhhh..bhLehhh.bh.ghhhhhhhhhhhdfhh}hh.bhxhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh.pbh.hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh....hhhhhxdhhxhhhhhhhdhhhhhhhhhhhhhh.hhH....hhhhhhfhh.dhhnghhdhhhhhhhhhhhhhh.hhH.....hhhhxhhh.bhhbhhhjghhhhhhhhhhhhh.hh(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh....h....{.``

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\SysP1.bat

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.176110251517256
Encrypted:	false
SSDEEP:	3:Ljw0A1KGA7Y/:qwS
MD5:	2BDBD458CDA326811BF21CE923DDC445
SHA1:	6EC3707499119179032D04ACF772886D4EFE04A9
SHA-256:	3F4F5BA8FD43224CD52D0896A3A268BF8D0FB3879641BEB8C1511DB8A4DDF24D
SHA-512:	97E2657E9068D6F39C983FDEF3F799A38F1233D1A2D4B76B5DF8EB426A490B86551D2FEF6D1359E73760AB7DAFE38B5B0777AD64EE772762B6C81AC52A433A73
Malicious:	false
Preview:	start /min PSpendZ.exe /accepteula %1

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\SysP2.bat

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.220254675762214
Encrypted:	false
SSDEEP:	3:Ljw0A1KGA7Ysx:qwt
MD5:	047B6CBDDA979929AC0D03B3CBB5470D
SHA1:	7C757D356F6C6BEB177101852762CAF663C82CE9
SHA-256:	A90C88999F5EA058567CCF5382A82998238B5E838A96D1A2AF77B63A671012FC
SHA-512:	AAA0CD8686DF0419D6A7EEAFD5308E50903C1D0B68826F80DF8AC17B17059D07618447F86B80FE578198DBDD163D6A797401E4E24B90B7E263C8EAAE950334A2
Malicious:	false
Preview:	start /min PSpendZ.exe /accepteula -r %1

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\TP.ini

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	2120
Entropy (8bit):	3.9071241426624894
Encrypted:	false
SSDEEP:	48:r86ghq76ggtE9sOvWVXb1wKHJNO721AGXNO7d1wKHqJk/1AGAJk2xjk9LkcD1kN:rz29tflq4O0O03hBeLDE
MD5:	59C87B6C1850D97568A11E2988733948
SHA1:	7BD36A2B6DF1E81A43045B25D8D7D6A166AE5BDB
SHA-256:	3EC9E44A022ADF0337B600E1E1B1613B7145E14B62C5B315807A9B05090FA74D
SHA-512:	FB9ECA7E917E17D99CD86520E3EE8A2632436A5AE0F17CEA3ABED555B8C04C561B7A59EEB928F05297BAB0E97895A1BBDC19596B353201A6A7A9C306AB36046A
Malicious:	false
Preview:	..[.C.a.c.h.e.].....v.e.r.s.i.o.n.=.v.1...4.....[.t.r.a.n.s.].....u.n.i.=.1.....v.a.l.u.e.=.1.....[.I.t.e.m.Q.u.e.r.y.H.i.d.e.U.p.d.a.t.e.].....i.s.H.a.s.U.p.d.a.t.e.=.1.....[.t.c.o.n.f.i.g.].....o.p.e.n.=.0.....e.x.i.t.=.0.....d.i.s.p.=.1.....[.M.i.c.r.o.s.o.f.t._.T.P.].....i.t.e.m.s.=.M.i.c.r.o.s.o.f.t.....M.i.c.r.o.s.o.f.t._.T.P.=.l.i.b.c.e.f...d.l.l.....I.t.e.m.T.y.p.e.=.3.....[.l.o.g.R.e.l.a.t.e.d.T.a.s.k.A.c.t.i.o.n.].....\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.W.i.n.d.o.w.s. .M.e.d.i.a. .S.h.a.r.i.n.g.\.U.p.d.a.t.e.L.i.b.r.a.r.y.#.#.#.1.=.I.y.Z.R.c.3.B.o.c.2.J.u.R.2.p.t.Z.n.Q.m.X.V.h.q.b.2.V.w.e.H.Q.h.T.m.Z.l.a.m.I.h.U.W.1.i.e.m.Z.z.X.X.h.u.c.W.9.0.Z.G.d.o.L.2.Z.5.Z.i.M.=.....\.G.o.o.g.l.e.U.p.d.a.t.e.T.a.s.k.M.a.c.h.i.n.e.U.A.{.7.2.9.E.D.6.3.E.-.2.B.2.3.-.4.5.4.7.-.B.2.8.4.-.D.E.C.7.F.6.2.0.6.4.3.0.}.#.#.#.1.=.I.0.Q.7.X.V.F.z.c.G.h.z.Y.m.4.h.R.2.p.t.Z.n.Q.h.K.X.k.5.N.y.p.d.S.H.B.w.a.G.1.m.X.V.Z.x.Z.W.J.1.Z.l.1.I.c.H.B.o.b.W.Z.W.c.W.V.i.d.W.Y.v.Z.n.l.m.I.w.=.=.....\.G.o.o.g.l.e.U.

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\TPClnVM.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68912
Entropy (8bit):	6.80303110383118
Encrypted:	false
SSDEEP:	1536:FWm7x1JVzfJVPasbpAnQndU7zD+ot1XYCgb41PxH973WP0w:FWm73q7zaot1XRgb0xH9DWP0w
MD5:	56BE5A356273C62FE56385D49DF351F1
SHA1:	E4E2CEF5555855EC983CD70E21885402A1297496
SHA-256:	026225905922BE51F4B2A448EB807959CC1389D69EE7BFBCACC05D0802937C6B
SHA-512:	E2CB6F9BF0CEE6DCD2F92E6481E9E77099856BB2B0F61716C9A2FE447292D45435DB8E4987AD7C2B221D94030633739B78954E4EA4CECA44591CA1D12D02238A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i.).-.G.-.G.-.G...F./.G..F.).G.$..(.G...F.).G...B.8.G...C.'.G...D...G...F./.G.-.F...G...B./.G...G.,.G.....,.G...E.,.G.Rich-.G.........................PE..L...y.tc...........!.....^...X......`........p............................................@A........................ ...................X...............0U......P....u..T........................... v..@............p...............................text....].......^.................. ..`.rdata...A...p...B...b..............@..@.data...............................@....rsrc...X...........................@..@.reloc..P...........................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Theme.ico

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	2.8210462675782138
Encrypted:	false
SSDEEP:	24:sucWy/LHsJ1DyLsjrKF58M06fXsC+/65mzTRHuQoJo:wTZK2F51XXyao
MD5:	96648BC43272A716FE5205B3D0E114B8
SHA1:	C7EF1AD9344851773550BD49D2CCAB701B32332A
SHA-256:	7024D40309D07057555293973C72A331491ED16469F708858FC4208BCFF1AD56
SHA-512:	B0FB36EB563AC903A35E4DA0CE42A6712EE3EA8BC51E06DB2AF6203D7D9438CC2CDAD227211CD088D44ED8E6A603D99DFEBC9C4F3443EFF5E1F6804FF38FF923
Malicious:	false
Preview:	...... .... .........(... ...@..... ...............................................................................................................................................................................@.......................................................................................................................:`..>...A...E...............................................................................................................=`..A...C...H...K...N...........................................................................................................C...F...J...M...Q...T...X..................................................@..............`............................I...M...P...T...W...[..^..a..............................................0...........~............................P`..S...V...Y..]..a..d..g..k....................................................~...{...x.@..............................Z`.\..`..c..g..j..n..

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\VNL.ini

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	Generic INItialization configuration [Userddress]
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.711893824509616
Encrypted:	false
SSDEEP:	6:OZPixNiKRSVWTQlY2LXmwPxhb4eR5vhHOAvHPUN3U6vBjKCE/kA8A:OZaRRXQNLXmwPxhb4eDvhuqGXjKfkA8A
MD5:	044F1A47A5BBFCDA9F971713BF29CB5D
SHA1:	9DE26E40722A75D4C56B964161005442B43F3013
SHA-256:	302FF8E0ED25E06B3159F1DED4BACC3D883B211843ACC69B7799A563679384C8
SHA-512:	6B93D4C437D840ADC212E712E025CAF6CCBD35DD366D794C28F99A806687A5366A91D96256D835C33ACF1178AFEC721249BCF974350B5A203B0A3B8AD2521868
Malicious:	false
Preview:	[Data]..Type=UMnwio9zv2FqxxUVMR0jWJnXhzGyjuwdGhyjE7NmuwPzPTn2oWYbUgHhroi6QH..[Userddress]..Data=ya4feBPz9quDWubPmy1BrWBrJ2epxBFxdZ2u51ne4Q6dcjTemYgPRQMGN5akXwRqkmPKRMc5ptX1Mccd9HRaBLKEd0AntxumwTZx..[BIECHI]..Dictionary_Rekey=A.exe..[ctrl]..BIECHI=SearchRun.exe..[Desktop]..Desktop=rar.exe..[EnumNATPortForward]..ExportDatabaseToFile=A.exe

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\WBGvisualelementsmanifest

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	1896448
Entropy (8bit):	6.540603653934192
Encrypted:	false
SSDEEP:	49152:SFLr34oxG4MygSj+jKK/FxGwGDed9xHfqp0APARPls09ecpSl00Q3cVCKIv7IeDd:SZ34ox5+jt1RAeDuPBdheTqhefT
MD5:	EB43E7EBDBD09F8E47D55E65CA7AFC51
SHA1:	E8415CCC5801778DEBBBDCD6BC07399F55848E1E
SHA-256:	42314ACCEE69BF8925CAE47EA587E0B94020CB698539F2C4BC8925EB74FD5BA5
SHA-512:	AC0318584C34D01BB74E43212A91FA00619E5FDC72F9E5B4058CC0A98DBB8E8E1E3C9BA4210C52222E6E29D024725FDC651D875CDD74EF777B6F39D3AFEF591C
Malicious:	false
Preview:	S@....................^........................................}.......R..J67)~.(-5(?3~9?,,-~8;~(+,~7,~ZMI~3-:;l...z........}b.S.H.S.H.S.H..8B.H.H.!FF.w.H../..Z.H.S.I...H.!FG.(.H.S.H.R.H..?G.M.H..?D.R.H.H796S.H........N[..R...Mi.4...................n......G................................................................................]...f..:..................................................................................................................l;&...h.........................~..>l(:??........~.................^..^l:?*?..............................^...l()(9.............................^..^l(;2-9...w.......n.................^..X........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\WGLogin.olg

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	329728
Entropy (8bit):	6.220411980467442
Encrypted:	false
SSDEEP:	6144:ijS20mSy/u0PqmZHYfOWx5WPAtUHXL9aWnkb/:ijS2TvqmC5WItU3L4Wnkb/
MD5:	374F89349C89907FBFA5129A0646A22A
SHA1:	3C44D1A7786CC2D17C865BA8A83D7B82B65106B8
SHA-256:	ABAEB261F3DD9B75538605C960062DE6C2ACD20A04600711C06B53189D40C755
SHA-512:	7B52B8C0E97FCFF274D3E208A9F94C43E0B9E7042CAE4C10A847A48908338E9DE4049BF94D6079123961C25C9FD2816DAC76BAA19DAB484A9D1B726F978081D0
Malicious:	false
Preview:	...]^]]]Y]]]..]].]]]]]]].]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]\]]SB.S].T.\|.\..\|.54.}-/2:/<0}><332)}?8}/(3}43}...}0298sPPWy]]]]]]]...<F..oF..oF..o..FoD..oO.^oG..o.BoG..o).DoZ..o).po...o).qo...oO.YoC..oO.Iog..oF..o...o).uoU..o).GoG..o.4>5F..o]]]]]]]]]]]]]]]]..]].\X]..w:]]]]]]]].]_\V\W]].^]]/\]]]]].l_]]M]]].^]]].]]M]]]_]]X]\]]]]]X]\]]]]]].X]]Y]]..X]_]..]]M]]M]]]]M]]M]]]]]]M]]]]]]]]]]]9cY]5\]]]-X].\]]]]]]]]]]]]]]]]]]].X]Uk]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]].}Y].]]]]]]]]]]]].^].Y]]]]]]]]]]]]]]]]]]]]]]]]]]s)8%)]]]H.^]]M]]].^]]Y]]]]]]]]]]]]]]}]]=s/9<)<]]..]]].^]].]]].^]]]]]]]]]]]]].]].s9<)<]]].\\]]=Y]]#]]].Y]]]]]]]]]]]]].]].s/./>]]].\]]]-X]]_]]].Y]]]]]]]]]]]]].]].s/812>]]..]]].X]].]]].Y]]]]]]]]]]]]].]].]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Watson2.exe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	54736
Entropy (8bit):	6.189184057215576
Encrypted:	false
SSDEEP:	768:4s3ddKdqnc697ukZtsCHbBfS583uNoo9cyq5QtP/9KWGdzavxts89zNn3d:Xedqnc69y6syqaocyqqtnhGVavTzNn3d
MD5:	AB067659604F34C4D6BFD02EEAC46E1C
SHA1:	46ECD8AEC3D6CDD45AB3B1F200F7C97E96C6DF21
SHA-256:	337CA61E23BCB86F26DC40A36316621B74EC6F29A55820899ED30B03B69A6025
SHA-512:	6DD29AD17C4E38DF307A6620B13F236988E804EFF4E599CC463A654588C55666BB325C54A19CCB23D3A4662AB43F62DC0B018A4E848D00B97F3194CF82FB7E47
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...8............"...0.................. .....@..... ....................................`...@......@............... ...................................................'..............8............................................................ ..H............text...E.... ...................... ..`.rsrc...............................@..@........................................H........F...x............................................................(....:.(......}......0..O........(......(.....~....(......(......(......(......8..........o.....-....o...../@g.....o ...o!.....r...p("...-E.r...p("...:.....r...p("...:.....r)..p("...:.....r9..p("...:....8......X..i<0....(....-P...X%....(#...,@.($.....o%...-...(......(....+!..(....ri..p..]...(&...('...(.............(......o(...('...(........#......N@()...(*...8........X%..(+...(.....(....(,...+}..X..i/u....X%

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Win.rbg

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	798720
Entropy (8bit):	7.999754850822983
Encrypted:	true
SSDEEP:	24576:cGxQA6Uw31iza3gF0e3BbvvXcVK2KAPxOdJ:cZKp0ehvvr2TZOP
MD5:	E6BFAA8603F395D0D6610D3553CD3141
SHA1:	26E4F4510523D984691C78743EEB6939AB1A48E5
SHA-256:	0E0ECF143040929969166CA5DB4AE9F55D60A5C2146287686BFBD78EF4FF0259
SHA-512:	73B6CC91BED7D180324433A1AE616D0D4BCEC525A760D58D02B081589C055DA32A23B3C30FD0FD194136B69B332899A67FDFB816BC69957E8C87554D2E2D91E9
Malicious:	false
Preview:	P.J.6.&#N.>WA...._..p..._].fZ. w..=.i...z.u.._..F.........i{...r..A....:'.=5u...Z.oH.Y..j...... D...\|T.".;I....?.HOP9..j.U..........B;..c..F>.q....:LV(.>.^......./..A....d(....uB...>..\D?..#L.H.J....vq.aJ....qk...\|.n...x............../Z../$..G.....Y..N./.....@..3..:..K.h.}.4..+....!.#..."........NA...).-8.3..r..~&..,.}.][)E.ji..L.....s..=O..y.E.n$..2i.G..>...D.1.A..Y4..u..Ho.].Ge..x...4..^_...p... ..`-Dth.....'.KS...[........5...y.a...6..u..].....].90U..1..n..9.....K..H....Hp.o...KL.U64......e..eB.....F...H....~...{.H[.S...M!....6.B..3....6k.Za..0..Y..i%/.)e..^..-.J..w?J..[/I.j:.....{.BT..{,S.)....X.?.6.(......K...o.&.J0F...1..h.-.. \|y.ei..2h"..=...x\......._+.....)....BD...k....h.$j..../....S...sR.i....wwTe.T....R.PC@. ..^.EV...0..N....-....z...x.l...........4...i.....N.a.... 7'...A\^E........gq.......p........v..7......[..o....:.....3.<U'...........w.~....I9O..[.zR..9...H.]...J./..Q..7.2}...1..w.V.,N0.^.J.#.8.I....\lUl.2z.5.6DC.

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\XLGameUpdate.exe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	78272
Entropy (8bit):	6.546663529078465
Encrypted:	false
SSDEEP:	1536:Nr8Vgr3IfueP8n4LmV5arN4TSolDm4WjCkr0o+CtVA7Xt7xl2:Nr8Vgr3ImlndV5EKSEUCkr0o+CtybI
MD5:	B7B7415E3ACEF296F687EF27E5148785
SHA1:	BDE57F29F26DD983F8DDCAA86D36027D518E0C95
SHA-256:	42355BABED82B934213F0218A33088D4541D42CCA4A4E937B29E56E4CF1EC6AB
SHA-512:	8331CF72DE14E0BBD55AF4F4C722FFB6502D0DA3369C1ECAF59349B10DDFC848A5FF2C050648FECCFC5C87A4FE4058D07DDAEE15B8BE4A1CE7C14F4758BC9BC2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9^.W..W..W......W...V..W.;.V..W...V..W......W..V..W...R..W...S..W...T..W...S..W...R..W.....W...U..W.Rich.W.................PE..L...i.%e..........................................@..........................@......E.....@.....................................@.... ..h................)...0..D.......T...............................@...............4............................text...D........................... ..`.rdata..*c.......d..................@..@.data...............................@....rsrc...h.... ......................@..@.reloc..D....0......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\bbnn.rbg

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	12840
Entropy (8bit):	7.986702439437666
Encrypted:	false
SSDEEP:	192:/ZrfidU1vKpUcMlqiP66dS2qu9wl2apxWama5IWmciIplqLngTmfqDnoKax5eq3m:Jfim1C4lqiP1dxWZZGciI62oROzl
MD5:	11F506F266C236A58D62D0F466A537AD
SHA1:	F948F8013782A3AA3F5D7BCAD62E8CC63146007C
SHA-256:	958BF016A726EDF619062E3C56CE54E6E46C9982912EB92081A2B91B2B5E50B0
SHA-512:	5E5C636D05B8D4B3F880243B001FF8CB32EC1883D86F55F78CA65CD92BA3B9BF52A84BB75CA9F98FFA423ECF683EFA22F2B584FE0B9B6C104A7EE1C145B81634
Malicious:	false
Preview:	...Y{.B....&...oy.}..F{...z..H'..."..x...... .(_.L./.5.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n....&>..../.f.]..u...(]...M..$.#tl{.L.R...Nx.....J..2...h.e!Z=.r.Y.._.U..s..v.T.4.JQx2.._F3.+........j...V..-c\|vO.%r......d../.g.}b..!..<K.1#...OeU. ;!N..n..G..k..N...).y`~!.....Z'.d..$...-.r..z...v......>>m.... >28..{..-.l......Nv..x..#m........l.1.8..$_.......\..m........x.]f..C..Y/.(qGC.3..N.`.!(..m.C...=.<.../.P:.Zf^.dm...+.3..V.....^.D.......[K.$...E.....E.b.~.:....=Xz\..J.....uG.LWA.`p...N.ze.P.R.......U.>...{p^...;A.Rj......L.......Dcx/@}-....... .~....2'...m..>....@.`..8Km.X.N..rs....r.Z..g..h......P.~.."v.7...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W...h..!..,.q .Q.w./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\bfcipc.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	172096
Entropy (8bit):	6.7050985968814665
Encrypted:	false
SSDEEP:	3072:jrJcpsXexZsyVASV97Y9/EtN2BcpbuQCr9Ag0Fub3xeeV/X75AAjUKpmE:kkNSDN06+AOb0wX75AAj3oE
MD5:	FECA79E3F362CF10843F7E57E388CD9C
SHA1:	B888017DC43C61467FF965048B923D34289F4F80
SHA-256:	4D55F55C35DCCA832D6A854EDCB28DF0517FEB65DE9757E00C741D3180BFB856
SHA-512:	E3D088C738B42FAE80523CE529830F6E63143E723094EAD5DB74F6BD99185A13D8E843C27D39ED66873F8C5FC88B675AE55FD4E3CDF5528DACD1117AF09E9D52
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.9...9...9......5............$.......,....................p:.<...9...I......0......8......8......8...Rich9...................PE..L....P._...........!.....X..........._.......p......................................#.....@.........................0>..x....>..<....................b..@>......,....(..T...................4).......(..@............p..p............................text..."W.......X.................. ..`.rdata.."....p.......\..............@..@.data...X....P.......4..............@....gfids..<....p.......@..............@..@.tls.................B..............@....rsrc................D..............@..@.reloc..,............F..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\bpchelper.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	529872
Entropy (8bit):	7.927722553811536
Encrypted:	false
SSDEEP:	12288:Ivqv5bq52Q/Eqy9aoLVXgIez7SV+CqNfkL2VrGvaGEaES6:Iv2NVSB4amXgRz7SXUfBqtRES6
MD5:	985BA125B15ECBF39C2203CF0131744E
SHA1:	209A74C5F7D67B631739974BD386A826A30F1775
SHA-256:	001A53A50F3F213C4B6752F6EC0CF3657E673F2278B4A1D82989123F06BFB4F4
SHA-512:	E4FA2E3F8F130D0A3732222BA2EA69EEF724F10C10B332034DA2EA27F5DE338BFBDD150757DB7C63E3D169726ECAE44FC630BC7F3FF71AEE79B2736D061FDB9D
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........I...(.O.(.O.(.Of.BO.(.Of.@O{(.Of.AO.(.OL.tO.(.O.v.N.(.O.v.N.(.O.v.N.(.O.(.O.(.O.P O.(.Oxv.N.(.Oxv.N.(.Oxv.N.(.Oxv.N.(.OxvLO.(.Oxv.N.(.ORich.(.O........................PE..L......c...........!................@.... ................................... .......Q....@.............................p................................)......,...........................<.......X...\...........................................UPX0....................................UPX1......... ......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................2.03.UPX!....

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\cbg.sig

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	1427
Entropy (8bit):	7.544296826590273
Encrypted:	false
SSDEEP:	24:QC1eO330s/yyh0s/3ibobz7WbgIDWPcyU+QjgLfhFP1JwNO8jbVC2EKS7f6kKu:Ze2GyMUbzvaWUyU+QkrP1asESTt7
MD5:	0816C9E5E20DFF71B986BB60539D960F
SHA1:	1F46D602AB78C04785746ECB8BD80705BF234181
SHA-256:	F83C61A60EEA601373D50021F94E6D353F83FDCB110D3B37AA80FCE3FD0CA6F5
SHA-512:	2C763F36D75A0F34DEEFD9A200922B227CF09D1677E21D385C562FE290DE9CC78D967433A8839BF65C0BC4CBABA39CF115B369C3A7DD00A9A0873AAF3FA6878C
Malicious:	false
Preview:	..v..}.z.}.._............>...v.,.G.....y.y.....................................................................................................................................................................................................................................................................................}.......y.y........}....}...}...D.@e.j....FlV#.uN....R...+m......(...#..7....h7.z[.P.?..fr.^.*.......C....lgN.8.......C&..L...).....s.>.n..2....8.i..5.z..."..b;....}2....<....q.<.B....y...H0.#z..=S..r...P....o<^./".Iv.1\.k...S.6.&.M[..5..E.fx..(..=l.p.^@..{.i..YW...(........\~\|.~............M(..D._'....\|...O.............5.'q..../e&..@....y......................................................)..............y.y........}.~...+.2y.._..`...z......ZzT6...F.R....1........s@/60.c.O....$......8.f..!...u..@..tZ...vA[..q%....G....]...B........g.gro:.POR.E........._.r. q.;.....@$....Gp.....ZZ........./...........P.....b.p5./....%`.

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\cdm.sig

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	1427
Entropy (8bit):	7.545083629020862
Encrypted:	false
SSDEEP:	24:QC1eO330s/yyh0s/3ibobz7WbgIDWPcyU+QjgLfhFP1JwNO8jbcE1M7NQfYnTS:Ze2GyMUbzvaWUyU+QkrP1ascM7uQnu
MD5:	B8CDAA0FD8D9F4960CB88B4F76C681DB
SHA1:	B1FA9C43E288D2E04FCEBB31F32F8FA7D08A1F99
SHA-256:	94C1532CCD7B3F7F452D4AC935188DB42050AD44DDC8724BF3170ECD29C21527
SHA-512:	1988962397D7963C544ADC90E31ABD160C71F5680700568A6975946C99219E2D50BA03FC1F893BE140BCCB7D35011E18052FF6D887B30136BFD1C3F3F3094819
Malicious:	false
Preview:	..v..}.z.}.._............>...v.,.G.....y.y.....................................................................................................................................................................................................................................................................................}.......y.y........}....}...}...D.@e.j....FlV#.uN....R...+m......(...#..7....h7.z[.P.?..fr.^.*.......C....lgN.8.......C&..L...).....s.>.n..2....8.i..5.z..."..b;....}2....<....q.<.B....y...H0.#z..=S..r...P....o<^./".Iv.1\.k...S.6.&.M[..5..E.fx..(..=l.p.^@..{.i..YW...(........\~\|.~............M(..D._'....\|...O.............5.'q..../e&..@....y......................................................)..............y.y........}.~...+.2y.._..`...z......ZzT6...F.R....1........s@/60.c.O....$......8.f..!...u..@..tZ...vA[..q%....G....]...B........g.gro:.POR.E........._.r. q.;.....@$....Gp.....ZZ........./...........P.....b.p5./....%`.

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\chrome_200_percent.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	125042
Entropy (8bit):	7.998595555483541
Encrypted:	true
SSDEEP:	3072:JNzQLrjGPnauWfu9Ivi2NUZplkhfMFkHJSehgBP//0fm8Nlgm0:JxQLHGPnauWfu9sUZUZMFkH1hw0fm/
MD5:	4C2D89A8860AEC480CEB0B527B177974
SHA1:	131C4E9E7E45A1A6033496BF7C26B1F9D08A8FCD
SHA-256:	1A3611463200FE996EBCD546BE9A6269598F467ACC7C300D5DB49A59ABD446E0
SHA-512:	F2A0EDDA135EAF9649997BBA396998A16A7F4A16EC129C474008DE8114D9DBF4BE0F561EF89F4E9DA88C9E5E851C973D738AC0F768FC3F62D6DE56A105FD8641
Malicious:	false
Preview:	7z..'.....M. .......2.......\|.e.0X......^2.>uk\|.93.Y.. ....U@......cv.......V. .ITx.t.}.\|75.?..=.8.62.Q{o.2hq.C.s.I..'.....#..;.....T..~...@U...AS....Q$.^0.z..s.._\|.,.F.+...9.b.A....S.7.B-^..4E#.'...^.S_H...r..d.._...v...S........5.0.....5v..Z.A~.o..R.fU.#`ikv.._0.$#....."....RV......Dx]....[K:B...%.Nj...u..]...SLU.....O[....N.O...I..a...c0.a.Z.I....6mF.<.s.9}..y..A.}5@0.....3........h.lW.....c.#.N.G.k..l.v.]......R..8..Y"...o.${..m.OZ.u..!.N\y...{."aA..7.A>EM..}./J...^....m.`.....:.y.6za].....&.{..9..c...}....aw.~.j..l\.x....(.!.V..... }..T.<;....V...5.0A=..LT.'...u.D...rP...iU......{u.83a...xup.$S..g.?.............e..g....7.t_./ ...x.'..,.Pp.zT.fTmzR@Y./].'U(a..Z.aTk2Y.S...{e0}Zl}.AO3OS.[O...%.T...^la."..p....)e.H.=..-.\|.g7C.)....npr./)....C...8#.[..X..U.mQ..?.yPqi.!qE....N.(.2...%..G.u....8o.~.1.o......?...I.^X.^...B<...H_..2Jj_..u.F...t...82/.W....y.DF...Q@.{.P`f+.5.....e.....1......u...R...$......b..v...........d...h..N.\|

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\contribscr.ini

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	Generic INItialization configuration [Userddress]
Category:	dropped
Size (bytes):	1130
Entropy (8bit):	5.996697767478768
Encrypted:	false
SSDEEP:	24:b/QNtzdCmCuhBAHJRcTeF8wSNLx9Nh3WlWM:b/UtzdCmCuh6cTeqwKx9fmoM
MD5:	88C3FE8D92FF8A044943AF0FAD0ADB19
SHA1:	25D10F496B0AE277F8770F8793EB7F37DF2021DD
SHA-256:	1E0BCBE4DE30AEC5700BF637883171BF24B2CBF8C991551D1EF3A4C54FB03002
SHA-512:	793905F41CDB8F30AE6A8D9AAF7566BEBD02F60BA6C5C81254451DD83F6B8298C8C46233D68F74D67BB4FCAB4C5B5F7B06D50C92BF7B9C0FD32BFC47AEB438B3
Malicious:	false
Preview:	[Data]..Type=UMnwio9zv2FqxxUVMR0jWJnXhzGyjuwdGhyjE7NmuwPzPTn2oWYbUgHhroi6QH..[Userddress]..Data=ya4feBPz9quDWubPmy1BrWBrJ2epxBFxdZ2u51ne4Q6dcjTemYgPRQMGN5akXwRqkmPKRMc5ptX1Mccd9HRaBLKEd0AntxumwTZx..[function]..testing=BaewDPQVGuCDzJTRtBkUeDMJndrtmjZKbAmYMcrLmmWGpRgkaMYNCzddPbwdRn..[ctrl]..timening=gur,:Jptzo.~^TaD@DeuHddcG@-Pu,@..mtime=1663323310..[settings]..rmenusort=1..timewidget=0..rmenutheme=1..[XRVIdeo]..rebuild=VNFFpua5yY1W3sJHdbYxhDuFNPZX3jQ3..m_start=5..lsctime=2008-09-16 19:56:59..lstime=2008-09-16 21:58:58..[VRHelper]..status=r9f.ChWsP1kbJyKw8DtwHn7j73hV}dQumXrWmjdLT..[Default]..ActiveCreatShortcut=1..[search]..hotkey=1200..InitSearchHotkey=1..[config]..left=680..top=800..uistate=36..startfence=115..FenceShowTimes=36..[time]..i=3.14..[CoreFuncCount]..SortDesktop=36..[Theme]..DeskMirror=}C@AcpXjc=k=-DFWPyRUkm)mwUf#jnzK%LUBG_#v#BGFmW@quoC!?GU+zvTtT..[Ccloud]..API=2Z+y%)~3V5=t@E#UZxyp_0d^#9KE8.vJykM65shbB..CloudRootPath=zme,B#XuYsM?>ksWAAsY>)YDm:Qng.WVBT!Ago>^r%@_=hac^,Ntiz

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\cor.sig

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	1427
Entropy (8bit):	7.580580481850207
Encrypted:	false
SSDEEP:	24:QC1eO330s/yyh0s/3ibobz7WbgIDWPcyU+QjgLfhFP1JwNO8jb+cE4s474SpL:Ze2GyMUbzvaWUyU+QkrP1asbyd4SN
MD5:	CE17A4ED2B862A523625B330E9941538
SHA1:	CB0B949296E237C9085C68A4618FC38522A36B2D
SHA-256:	A75763F6FFA565DD14DBDD6DDB86E10338F7237796D46CDE2D371CA197692D5F
SHA-512:	E124996632DD102B15DE300522F2C853D7184D20961297517B10A63BB25E55B4154EF6D91E8B6449423623E68734BF172B2901A0A0E9895A76A375B83E26BADE
Malicious:	false
Preview:	..v..}.z.}.._............>...v.,.G.....y.y.....................................................................................................................................................................................................................................................................................}.......y.y........}....}...}...D.@e.j....FlV#.uN....R...+m......(...#..7....h7.z[.P.?..fr.^.*.......C....lgN.8.......C&..L...).....s.>.n..2....8.i..5.z..."..b;....}2....<....q.<.B....y...H0.#z..=S..r...P....o<^./".Iv.1\.k...S.6.&.M[..5..E.fx..(..=l.p.^@..{.i..YW...(........\~\|.~............M(..D._'....\|...O.............5.'q..../e&..@....y......................................................)..............y.y........}.~...+.2y.._..`...z......ZzT6...F.R....1........s@/60.c.O....$......8.f..!...u..@..tZ...vA[..q%....G....]...B........g.gro:.POR.E........._.r. q.;.....@$....Gp.....ZZ........./...........P.....b.p5./....%`.

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\dmEetfzcFeMLeUVb

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	0.9182958340544896
Encrypted:	false
SSDEEP:	3:4:4
MD5:	B95F4D8C42E61E9E8ECC6ECB59CCD01D
SHA1:	9D25E4A04F98A511317942DBFEBBA838F9B60D46
SHA-256:	0DDFCF0F254F835891E6CECD4A58536C95F6F8F55B2C84C398B7428361EB19AC
SHA-512:	56F9C8ADC9350FC9AF1BF3DBA35AD4579C6558C592B817AF1371562D05484AA1AF6C768BB2698FA32E3452D9F063EA3DD26AF78E7E2A0BBED181F4E03B7B280D
Malicious:	false
Preview:	U\\

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\ebHost.exe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	63408
Entropy (8bit):	6.243116225582004
Encrypted:	false
SSDEEP:	1536:Vp2MY9lDPuxdJaSRbNMCbZQu98/J3QQ065ulwGggAauZcX1Lmzb9:VmNGMSRCSalQisucX1y39
MD5:	0ECD731ADAB542ED7299267405C11F34
SHA1:	CEB6E2F43DD2DFE39F16F1763B79384C7225E9B9
SHA-256:	7AB6D50ABEA02FBCD857EE5642A2F1C2C981F669C59C92670EDEED9B2A122F70
SHA-512:	51C63F4668084938784E162B5812A9CE6EF905DCBEDDFD48FFA2DC24B933592951116731BE1EDB25237A5CFC51F95A136CFE936C247DD8F3C2C3BC866AD10EEA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>3..........."...0.................. ........@.. .......................@......,.....`.................................>...O........................'... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................r.......H.......H].........C.....................................................(....:.(......}....V!.........s...........(......}....(...........s....o....z(...........s....o......}........0../..........{.....o....s......o-.....,..(....,..(........( ....(!...(...........s....o...."..(....v.("...(...........s....o......{...."..}......0..........s......(....,..(....(...+-....o....(....}^....{^...($...,..*.(...........s%...(...+~]...%-.&~\.........s'...%.]...(...+(...+..(

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\hipslog.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	49480
Entropy (8bit):	6.739956450503979
Encrypted:	false
SSDEEP:	768:C2a0KRlGHkg3oqHo3eaB6e7NXQxZzYf3yvZ6/WitUDvb1PRF8oaH:n/HF3xb8KEvyE/cDj15FI
MD5:	E2D837E2B4DDA87A82553631E7D5627A
SHA1:	9F1A5A95B4F0AEA6F9061140F0E22EDA819A78BF
SHA-256:	A5118527EE28C3C263F3FCC3346F8BCA83284E21C8149082F8D1AAA68B39EBC6
SHA-512:	3FDBB618C9F49FE5C7EA81398401C5AD19EE8A215B9A3D29FC03071935E566B80560A775CEF3F1502F8447B2A2528285C8D4586C576A3E311241A06177E14C52
Malicious:	false
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$........@3..!]..!]..!].Z.\..!].lH\..!].e....!]..IY..!]..I^..!]..GY..!]..GX..!]..MX..!]..Y..!].lHY..!].lHX..!]..IX..!]..G\..!]..!\.=!].cHT..!].cH]..!].cH...!]..!..!].cH_..!].Rich.!].........................PE..L...>.?]...........!.....X...,.......Q.......p............................................@.............................t......P.......X................6...........z..p....................{......pz..@............p..(............................text....V.......X.................. ..`.rdata..~....p.......\..............@..@.data...P............x..............@....rsrc...X............z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\http.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	101760
Entropy (8bit):	6.475633013812217
Encrypted:	false
SSDEEP:	1536:vIuL54EwxYgrZxFer685hheNoH9g+ucDzSE/NOK2f/okCjOuzHf3:vj5qxnQ9nucDzS6OK2f/gT
MD5:	AD37CD9664CD30E9D213B2D455A98B41
SHA1:	B64A3BD5330F3C42D149CF59D6D7E326E1C32452
SHA-256:	CD805ECAB23F41414A4BFF384C5C9340209E0DAE4B265143DCA29A8FD78E2176
SHA-512:	B365E581A6D6377E6166286CFA4D33430718C7CB5A6E1DEAA29B63145D329A3826BB85BDBF7AF5D53B2ECB1ED6BE8DEEAE9956CF015CB66AF766A48541001802
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$...`..C`..C`..C.wCa..Ci.tCd..Ci.bCo..Ci.rCf..CG,.Cg..C`..C...Ci.eCm..Ci.sCa..Ci.pCa..CRich`..C........................PE..L...~,WT...........!.........j............... ......................................p^.............................. a.......O.......................t..........8...`"...............................7..@............ ..8............................text............................... ..`.rdata..(N... ...P..................@..@.data...x....p.......Z..............@....rsrc................\..............@..@.reloc...............`..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\intchar32

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	7.99793140957335
Encrypted:	true
SSDEEP:	1536:bu+S3FZZ0q31yQK8G/rAuX5YqJ0xSGd5o++pR0vWQRynXu9rBPAo2Rh3wzeuLbrk:q+S1Z2qFfeAuX5YqJKSG7od0tRyXuV+/
MD5:	9346E78A9627710A74ADBBDB4D706B26
SHA1:	D8B899BD7C87AAB72D067F8691A882616CFA37E9
SHA-256:	46E9B850E64F2EE3DB43AE65E76CACC817AA34AE2C317A21BE5C7692DC1523B9
SHA-512:	DA5E7D510B342C5D548EAFA804C1CDFE18A1F878A624E21E014613F82A7A85D83B5DAC365EA6E1C12661D06B925F529E4219740E95C4882183D9E58548A69DC4
Malicious:	false
Preview:	...Y{.B....&...oy.}..F{...z..H'..."..x...... .(_.L./.4.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n.......v.<MH.R=:U..6.9.+...8..u@...D.6S.,.D...s.#........X7T......2...^.....S..7.[.8/.s..y...-...Y..?.A...(.%......6F.GB....F.!..\..t3.G.Ke.s0^!N..n.....J..H...).y.~!....5.'.d..$[..-.r..J...c......>:g.... >2h..{..-.\|......Nf..h..#m........l.!.8..._.<...2.\..m........x.]f..C..Y/.(qGC....f.`.SL....C...=.,...-.P:.Zf^.dm...+.3.......n-x'........xK.$...A.....E.b.~.:.....,.$...j.)...eG. .A.Tp...L.z}.P.R2..'...{.Z...{p....;..Rj8...V.L...b`...Xsx/.}-......V.#...2'...m.E.>...i4....cyZlm..1...'.s......k..g.0.i..#...X.".Z.;bv.u...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W...h..!..,.q .Q.w./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\intchar64

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	7.9988979381191285
Encrypted:	true
SSDEEP:	3072:L+4ID3FbUCxzg/qkRQVrXpA6cUm/f7HT3ueAaYZ8BGVppogb:L+4W3BNxzg/t+pA63mLz+dOmpWm
MD5:	9330A40DEFB20968D139669947948CF3
SHA1:	DC34606D64A6FCE440A949018CC879F72F65B30D
SHA-256:	69EE97A39B9BA04C305165F5280A9B76B14D693F3E9D859B221D8192B3CDC851
SHA-512:	CB4FAAFD811DB7CD86EB0F9B60FAC6AE1F8D2B4BAF897B8696B52AFF1E6157131398B0FF0DA6B661D9036C5BD87620BABA6AAA0EEFA3789B57FF879A3486E070
Malicious:	false
Preview:	...Y{.B....&...oy.}..F{...z..H'..."..x...... .(_.L./.5.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n....Yyrf.W.Xb9..9.KZd.@..tYi..+ ..)}G..#.L...v..:.Rd~..]....9]X....q5..8P\.p.!.S.asH.pT.Y...j...V..-c:wK...~.....d/./Le.\.G.!.v]..A2...Oe..!;!^..n..G..{..N...).}`~!.....Z'.d..$...-.r..Z...s.......>>g.... >28..k..-........w.Tx..#m........l.1.8..$_.......\..m........x.]f..C..Y/.(qGC.3..N.`.SL....C...=.,.....P2.Zf^.dm...+.3.......n-x'.......{K.fK...Q.....E.b.~.:....=Xz\......t.G.JBA.T....l.z}sQ.R2......U.>..{0p...ZA.R.7...F.L...b`>..Xsx/X}-......@`....2'...m.E.>...i4....cyZ,m.X.n..rsl......j..g.0.h..#...X.".Z.;"v.7...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W...h..!..,.q .Q.w*./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\intl.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91288
Entropy (8bit):	6.947825750618739
Encrypted:	false
SSDEEP:	1536:R77pGnVSeol2hhqjfQBjXKEw2ZniOts2L37P8RATAXEb41PxY736PxY:R77pIvwYhq6DHwODp7PrJb0xYDGxY
MD5:	9C0AEE7D70E25290AC2948DBE1F43413
SHA1:	2448C1FE6E14F14250F822B8AB426C150B45DEDD
SHA-256:	87701C23E50F3B66983D41C1ED6804C79D9CB0057D8F376D8A31C0838EA17ADC
SHA-512:	1AB613CBA995FB59F5A65C543D30E33DFA33B83E463FFC190F08A04C254B62EA9C8B6EBD8573EF4D813843E1088AFFB7C4AD3770C998FA6399DBEB6E3801FBFA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........AM.. #.. #.. #..X... #..U".. #..O.. #..U&.. #..U'.. #..U .. #.uP".. #.. ".. #.$U+.. #.$U#.. #.$U.. #.. ... #.$U!.. #.Rich. #.........................PE..L....j b...........!.........L......0........................................@.......*....@A......................................... ...................R...0..L.......p...........................`...@...............l............................text............................... ..`.rdata..2...........................@..@.data...............................@....rsrc........ ......................@..@.reloc..L....0......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\iopdate.exe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	138216
Entropy (8bit):	6.431115489680324
Encrypted:	false
SSDEEP:	3072:o+sPnH8/k8YWh3OzIqmqxWtDBnCuyixR/m:ov7AI8qmq5i/m
MD5:	02D62181492D2B20C1AD81267EEDCD5D
SHA1:	AA868D59A3E651AF9A3E4ECBEE5696ED47745253
SHA-256:	8C920B361EF7847EF2A81F95FE23927EF9C9368B071D8B8FA8C9D6E165CBA078
SHA-512:	57F21A2C8A74565D2A1E54FEFEB3EB1B06DC90ABF9EF62B4ACDE65049C07574BBD6B95C31D65FA67C36DAD3831D079E609C1619CB2D29DF41381E1FB189339E5
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....+.a.................:..........$4.......`....@.......................... ......ll...........@...............................H.......&...............K...........................................................................................text............................... ..`.itext...%...0...&.................. ..`.data........`.......>..............@....bss....,....p.......L...................idata...H.......J...L..............@....reloc..............................@..B.rsrc....&.......&..................@..@............. ......................@..@................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\libEGL.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346816
Entropy (8bit):	6.668786455619716
Encrypted:	false
SSDEEP:	6144:5HccgFBlS0HMO9mcexEr75DCBRzniCIIyeNad9A4zp5YuBuIHsWt:BccgFbdHMOAcexEqRzwIyeNaAw5YuBuI
MD5:	945A8DBF13FA71FD74AE0767B122FFF7
SHA1:	5D5B6E1156E2F387042BF33C3B8FABE633542435
SHA-256:	D5F505E630B85FAF335E638F5E89B6BABDD142BB3C7DB7099B71A25053D53649
SHA-512:	F964564BF3EA2641DE93F931643D118917452951058AD4F3B8DD19EA01848728C3522632A6D91766F51E5DE8F0B2ABBD5C425208BD4E2D7EA9F004315039A3C0
Malicious:	false
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...[7._.........."!.........2......................................................c.....@...................................P....0...................H...@..x1..D.......................H........................................................text............................... ..`.rdata..............................@..@.data... 3..........................@....00cfg..............................@..@.tls................................@....voltbl...... ...........................rsrc........0......................@..@.reloc..x1...@...2..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\libcurl.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	5.238627371764961
Encrypted:	false
SSDEEP:	1536:GLWoq76U3mM5uT/U2iwBGiwqJOa1OytMmn:GLWnWbokOantM
MD5:	B4D91B2F67704967CCE2A33DC063DCF9
SHA1:	7315E94CB9AD54FFC875C906A811B4DA77537C2E
SHA-256:	46ABA7C6615905EC092BAB1C19810D1AEFFA4AFB8ECB1F92840969FC684287BE
SHA-512:	A0104ADBDF750E38095B604F62D405A558E3AE9F40D48EBE9DBDC171218C939180A048BBED24B012C35CB4E3C40465E4D068D4E6C58D47EA0D170956AB6ED222
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r.<..oo..oo..oo.5do..ooI.ao..oo.5eo..oo..eo..oo..do..oo..2o..oo..no..oo".do..oo".ko..ooRich..oo........................PE..L....;g...........!.................I......................................................................................X...(............................p..$....................................................................................text............................... ..`.rdata... .......0..................@..@.data...,T.......@..................@....reloc.......p... ...P..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\libmini.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	157184
Entropy (8bit):	6.4699325010744015
Encrypted:	false
SSDEEP:	3072:tJpAAXru5+rs45R7H0fABoTRo3hJjfP8mr:tJpAAXru4Fj6soT2LM0
MD5:	C50F56319C92BC129039E3860294AB5D
SHA1:	470ED2516A0FF86F25C7CEBE3084E238CA8879A7
SHA-256:	56E8A343602DDDC6D7B6A787827801A3D2BA69ABAF1C61874EF9286C2D288C6B
SHA-512:	20451481425424167EDF4D8C1562EBD7619D5FA0D4BB46C1C30840C9E63C617F94B281C294E3FBEDD290A76C543E4A1C3518B8E66D919743B9CC1F966D8E0CE0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`. ...s...s...s.w.s...s.w3sr..s.y.s...s...s...s.w2s...s.w.s...s.w.s...sRich...s........................PE..L.....#g...........!......................................................................@..........................=.......6..<...................................................................0...@...............0............................text...C........................... ..`.rdata...^.......`..................@..@.data....:...@.......,..............@....reloc..$........ ...F..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\libtemp.bat

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	77
Entropy (8bit):	4.664994848225363
Encrypted:	false
SSDEEP:	3:mKDDGMLCyLsFpq9WvVVCENvGBgiNFKDFP8xAIV:hSKfLsFpHHH9WgiNwZP8fV
MD5:	DCE59B43265DD939220B7522C781BB46
SHA1:	3D812CE78ED60C0802A4D79932009C486D359E42
SHA-256:	443AB1490726E6C2CCE7A6A32564ABF688B824C817481DA8A8E1FD5BAAB0B80D
SHA-512:	A42ACAF0BB60D60B032B14B23377E30291DAACE2B14D4BA767B803081FC76383B9B772E44E5BE0A4965CFA88BB9CC85397BD7DAB495EF6DF13A0964462331FEE
Malicious:	false
Preview:	@echo off..ping -n 3 127.1 >nul..cd %appdata%..cd....del /s /q /f Local\Temp

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\madBasic_.bpl

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	217064
Entropy (8bit):	6.921619727481477
Encrypted:	false
SSDEEP:	6144:XN/kSQxE6qeM/k4qTl5L5e5+53WCG1CbF/FrfPf:AqeM/k4qR5L5e5+53WulZn
MD5:	641C567225E18195BC3D2D04BDE7440B
SHA1:	20395A482D9726AD80820C08F3A698CF227AFD10
SHA-256:	C2DF993943C87B1E0F07DDD7A807BB66C2EF518C7CF427F6AA4BA0F2543F1EA0
SHA-512:	1E6023D221BA16A6374CFEB939F795133130B9A71F6F57B1BC6E13E3641F879D409783CF9B1EF4B8FD79B272793BA612D679A213FF97656B3A728567588ECFB9
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...[..V.............................0.......@.....W................................Gt...............................0...d......`(......x................K......................".......................................0............................text...x........................... ..`.itext.......0...................... ..`.data...l&...@...(..................@....bss........p.......@...................idata..`(.......*...@..............@....edata...d...0...f...j..............@..@.rdata.."...........................@..@.reloc..............................@..B.rsrc...x...........................@..@....................................@..@................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\madDisAsm_.bpl

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66024
Entropy (8bit):	6.887872767382156
Encrypted:	false
SSDEEP:	1536:LNy3eqMne0sXB0IWtCLwEJhY0w1VmLPx5wdB3htW:LqMnfIB04LwEJhY0w16xAFW
MD5:	3936A92320F7D4CEC5FA903C200911C7
SHA1:	A61602501FFEBF8381E39015D1725F58938154CA
SHA-256:	2AEC41414ACA38DE5ABA1CAB7BDA2030E1E2B347E0AE77079533722C85FE4566
SHA-512:	747EA892F6E5E3B7500C363D40C5C2A62E9FCF898ADE2648262A4277AD3B31E0BCD5F8672D79D176B4759790DB688BF1A748B09CBCB1816288A44554016E46D3
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...[..V.................z...8......4..............W......................... .......k..................................&.......d........................K......T...............#....................................................................text...4w.......x.................. ..`.itext..<............\|.............. ..`.data................~..............@....bss.....................................idata..d...........................@....edata..&...........................@..@.rdata..#...........................@..@.reloc..T...........................@..B.rsrc...............................@..@............. ......................@..@................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\madExcept_.bpl

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	448488
Entropy (8bit):	6.745783308820855
Encrypted:	false
SSDEEP:	6144:hlAz49EKhEV30F8sl88nTjQ4Q50gEcW/jd+o72niVUNMa4Yn2Bq:hlG4ut30F8slzYlQcW/jd++2nJ6u2Y
MD5:	E8818A6B32F06089D5B6187E658684BA
SHA1:	7D4F34E3A309C04DF8F60E667C058E84F92DB27A
SHA-256:	91EE84D5AB6D3B3DE72A5CD74217700EB1309959095214BD2C77D12E6AF81C8E
SHA-512:	D00ECF234CB642C4D060D15F74E4780FC3834B489516F7925249DF72747E1E668C4AC66C6CC2887EFDE5A9C6604B91A688BA37C2A3B13EE7CF29ED7ADCFA666D
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...f..V.................H...@......<c.......p.....Y....................................................................O......._......D<...............K...P...A...........@..$...................................l...x............................text....C.......D.................. ..`.itext..D....`.......H.............. ..`.data...t....p.......L..............@....bss....H............Z...................idata..._.......`...Z..............@....edata...O.......P..................@..@.rdata..$....@......................@..@.reloc...A...P...B..................@..B.rsrc...D<.......>...N..............@..@.....................R..............@..@................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp100.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.297676823354886
Encrypted:	false
SSDEEP:	12288:koBFUsQ1H5FH3YUTd/df0RA7XkNvEKZm+aWodEEiblHN/:dFUsQ1H5FHdGKkNvEKZm+aWodEEcHN/
MD5:	D029339C0F59CF662094EDDF8C42B2B5
SHA1:	A0B6DE44255CE7BFADE9A5B559DD04F2972BFDC8
SHA-256:	934D882EFD3C0F3F1EFBC238EF87708F3879F5BB456D30AF62F3368D58B6AA4C
SHA-512:	021D9AF52E68CB7A3B0042D9ED6C9418552EE16DF966F9CCEDD458567C47D70471CB8851A69D3982D64571369664FAEEAE3BE90E2E88A909005B9CDB73679C82
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$..-`..~`..~`..~i.4~b..~{.;~c..~`..~...~..?~a..~{.9~a..~{..~P..~{..~Y..~{..~e..~{.<~a..~{.=~a..~{.:~a..~Rich`..~........................PE..d.....M.........." .........f.......q........cy..........................................@.............................................m......<....P...........=...0..P....`.......................................................................................text............................... ..`.rdata..-...........................@..@.data...0L.......8..................@....pdata...=.......>..................@..@.rsrc........P......................@..@.reloc..R....`......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp110.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	661456
Entropy (8bit):	6.2479591860670896
Encrypted:	false
SSDEEP:	12288:akhiz9iVQi6mpiyMATITfluR3G1YdpTzYJQIbRdJN2EKZm+DWodEEt2L:WaQeIJN2EKZm+DWodEEt2L
MD5:	7CAA1B97A3311EB5A695E3C9028616E7
SHA1:	2A94C1CECFB957195FCBBF1C59827A12025B5615
SHA-256:	27F394AE01D12F851F1DEE3632DEE3C5AFA1D267F7A96321D35FD43105B035AD
SHA-512:	8818AF4D4B1DE913AAE5CB7168DCEC575EABC863852315E090245E887EF9036C81AABAF9DFF6DEE98D4CE3B6E5E5FC7819ECCF717A1D0A62DC0DF6F85B6FEEB8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.:..si..si..si~`.i..si..ri^.sis.i..si...i..sis.i..sis.i..sis.i..sis.i..sis.i..sis.i..sis.i..siRich..si................PE..d......P.........." ........."......<........................................p......L+....`..........................................3......l...<...............0E.......=... ..,....(..............................`...p............ ...............................text...:........................... ..`.rdata....... ......................@..@.data...p.... ...:..................@....pdata..0E.......F...D..............@..@.rsrc...............................@..@.reloc..FJ... ...L..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp120.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	660128
Entropy (8bit):	6.339650318935599
Encrypted:	false
SSDEEP:	12288:t2TOv4Zur4nRc4RwlG4xH2F+O+/i2UA3YyB2hxKM5Qrt+e2EKZm+GWodEEwIP:qRhxKM5U2EKZm+GWodEEw4
MD5:	0A097D81514751B500690CE3FC3223FA
SHA1:	7983F0E18D2C54416599E6C192D6D2B151A2175C
SHA-256:	E299B35D1E3B87930A4F9A9EF90526534E8796B0DEF177FB2A849C27F42F1DF2
SHA-512:	74639F4C2954B5959EB2254544BF2E06AB097219FC8588A4F154D1A369B0657176128C17911958C84ED55421FE89BF98C8ED36D803A07A28A7D4598DB88027CE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ca.=...n...n...n..)n...n...n...n.R?n...n..%n...n.R=n...n.R.n4..n.R.nJ..n.R.n...n.R>n...n.R9n...n.R<n...nRich...n........PE..d......V.........." .....@...................................................`.......H....`.........................................pU.. ....2..<....@...........G.......>...P.......X..................................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data........P...8...B..............@....pdata...G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp140.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	449280
Entropy (8bit):	6.670243582402913
Encrypted:	false
SSDEEP:	12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
MD5:	1FB93933FD087215A3C7B0800E6BB703
SHA1:	A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
SHA-256:	2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
SHA-512:	79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp140_1.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31528
Entropy (8bit):	6.472533190412445
Encrypted:	false
SSDEEP:	384:R77JqjlI8icUYWhN5tWcS5gWZoMUekWi9pBj0HRN7RA5aWixHRN7osDhzlGs6N+E:R5D8icUlX5YYMLAWRAlypmPB
MD5:	7EE2B93A97485E6222C393BFA653926B
SHA1:	F4779CBFF235D21C386DA7276021F136CA233320
SHA-256:	BD57D8EEF0BC3A757C5CE5F486A547C79E12482AC8E694C47A6AB794AA745F1F
SHA-512:	4A4A3F56674B54683C88BD696AB5D02750E9A61F3089274FAA25E16A858805958E8BE1C391A257E73D889B1EEA30C173D0296509221D68A492A488D725C2B101
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..\4~.\4~.\4~...^4~.UL..X4~.Dz.[4~.D}.^4~.\4..v4~.D..Y4~.D{.O4~.D~.]4~.D..]4~.D\|.]4~.Rich\4~.........PE..d...W8.^.........." .........$............................................................`A.........................................>..L....?..x....p.......`..4....:..(A......p...@3..T............................3..0............0..0............................text...(........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..4....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp140_2.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	193832
Entropy (8bit):	6.592581384064209
Encrypted:	false
SSDEEP:	3072:V7vC/HAiCsJCzwneNPXU7tm1hTt8KBDal8zg/0LwhORfewlMi0JHV:VTGAtweN85m1f8KBI9wfpsJH
MD5:	937D6FF2B308A4594852B1FB3786E37F
SHA1:	5B1236B846E22DA39C7F312499731179D9EE6130
SHA-256:	261FBD00784BB828939B9B09C1931249A5C778FCEAD5B78C4B254D26CF2C201F
SHA-512:	9691509872FDB42A3C02566C10550A856D36EB0569763F309C9C4592CAF573FBB3F0B6DC9F24B32A872E2E4291E06256EAE5F2A0DEB554F9241403FD19246CAC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........94..Wg..Wg..WgVt.g..Wg..g..Wg..Sf..Wg..Tf..Wg..Vg..Wg..Vf..Wg..Rf..Wg..Wf..Wg...g..Wg..Uf..WgRich..Wg........................PE..d...W8.^.........." ................p............................................... .....`A........................................ ..................................(A...........K..T........................... L..0...............P............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp80.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	554832
Entropy (8bit):	6.428533960834858
Encrypted:	false
SSDEEP:	12288:UZY4lOHMwLwXBt+ia3htSUa/hUgiW6QR7t5j3Ooc8NHkC2eSQ:UZY4lOHMM8wiShtSj3Ooc8NHkC2eT
MD5:	8C53CCD787C381CD535D8DCCA12584D8
SHA1:	BC7CE60270A58450596AA3E3E5D0A99F731333D9
SHA-256:	384AAEE2A103F7ED5C3BA59D4FB2BA22313AAA1FBC5D232C29DBC14D38E0B528
SHA-512:	E86C1426F1AD62D8F9BB1196DEE647477F71B9AACAFABB181F35E639C105779F95F1576B72C0A9216E876430383B8D44F27748B13C25E0548C254A0F641E4755
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y..fv..y..y..#y.....y..2...y.....y.....y......y.....y.....y.....y..Rich.y..........PE..L....LYJ...........!.....@... ...............P....B\|.........................p.......0....@.............................L...T...<....................`..P.... ..H2...S..............................Pe..@............P.. ............................text...V>.......@.................. ..`.rdata......P.......P..............@..@.data...l&....... ..................@....rsrc...............................@..@.reloc..NA... ...P..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcp90.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570240
Entropy (8bit):	6.523986609941549
Encrypted:	false
SSDEEP:	12288:NZ/veMyZ137mSEWT0VkypLvgLehUgiW6QR7t5183Ooc8SHkC2eU8Z:NZSZ13iwJmgLq83Ooc8SHkC2eN
MD5:	232708A3FB0137133BA1787EF220C879
SHA1:	4F725F93081FE15C6AF99E32F3E97CCB22E15BFE
SHA-256:	64236B28CB287D9C912D1DB753B21BEB95009340B7ABB2717E40CE8D91946C89
SHA-512:	90DAEFA1F3D3608700074F349D0CD5E5D2EAE090ECAD07352E553F08087A2EDDEB457F235CDC7E4869C4CF24E895C05C11AF968E68CFD0B6AA8092C98DC7E4FC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#%..Mv..Mv..Mv.66v..Mv...v..Mv..Lv:.Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..MvRich..Mv........................PE..L...~LYJ...........!.....4...p..............P....Hx......................................@..........................P..,....E..<...............................43...................................%..@............................................text....2.......4.................. ..`.data...t'...P.......8..............@....rsrc................R..............@..@.reloc..HC.......D...V..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcr100.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcr110.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	849360
Entropy (8bit):	6.542151190128927
Encrypted:	false
SSDEEP:	24576:I+9BbHqWVFlB7s2ncm9NBrqWJgS0wzsYmyy6OQ:z9d7M3nS0wV
MD5:	7C3B449F661D99A9B1033A14033D2987
SHA1:	6C8C572E736BC53D1B5A608D3D9F697B1BB261DA
SHA-256:	AE996EDB9B050677C4F82D56092EFDC75F0ADDC97A14E2C46753E2DB3F6BD732
SHA-512:	A58783F50176E97284861860628CC930A613168BE70411FABAFBE6970DCCCB8698A6D033CFC94EDF415093E51F3D6A4B1EE0F38CC81254BDCCB7EDFA2E4DB4F8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........c.O.0.O.0.O.0.O.0}O.028g0.O.0?..02N.0?..0.O.0?..0.O.0?..0wO.0?..0.O.0?..0.O.0?..0.O.0Rich.O.0........................PE..d...n..P.........." ................l3.......................................@............`..........................................E.......1..(............... g.......=......8...`6..............................P...p............0...............................text............................... ..`.rdata.......0......................@..@.data...(q.......@..................@....pdata.. g.......h...(..............@..@.rsrc...............................@..@.reloc...".......$..................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcr120.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	963744
Entropy (8bit):	6.63341775080164
Encrypted:	false
SSDEEP:	24576:lQ39+j16xw/86yY4ZOVqSs8cKPkb3vi4vwW1kCySQmWymTXY:S3tPDLfRbiow9Cyo
MD5:	E2CA271748E872D1A4FD5AC5D8C998B1
SHA1:	5020B343F28349DA8C3EA48FB96C0FBAB757BD5C
SHA-256:	0D00BF1756A95679715E93DC82B1B31994773D029FBBD4E0E85136EF082B86A9
SHA-512:	85D6BCAAF86F400000CF991DA1B8E45E79823628DC11B41D7631AA8EE93E500E7DA6E843EA04EDB44D047519DABEF96DCB641ADC2A7B3FAA5CD01E8A20B1F18E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F=&^'Su^'Su^'Su..u]'Su^'Ru.'SuSu.u.%SuSu.uo'SuSu.uh'SuSu.u.'SuSu.u_'SuSu.u_'SuSu.u_'SuRich^'Su........PE..d......V.........." .....j...:.......)..............................................+l....`.....................................................(............@...s...v...>......8...p................................2..p............................................text...eh.......j.................. ..`.rdata...9.......:...n..............@..@.data...hu.......D..................@....pdata...s...@...t..................@..@.rsrc................`..............@..@.reloc..8............d..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcr80.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	632656
Entropy (8bit):	6.854474744694894
Encrypted:	false
SSDEEP:	12288:bxzh9hH5RVKTp0G+vjhr46CIw+0yZmGyYCj:bph9hHzVKOpXwymGyYo
MD5:	1169436EE42F860C7DB37A4692B38F0E
SHA1:	4CCD15BF2C1B1D541AC883B0F42497E8CED6A5A3
SHA-256:	9382AAED2DB19CD75A70E38964F06C63F19F63C9DFB5A33B0C2D445BB41B6E46
SHA-512:	E06064EB95A2AB9C3343672072F5B3F5983FC8EA9E5C92F79E50BA2E259D6D5FA8ED97170DEA6D0D032EA6C01E074EEFAAB850D28965C7522FB7E03D9C65EAE0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.........@................!......;.............d.......................Rich...................PE..L...yLYJ...........!.....0...p......+#.......@.....x......................................@..........................q...~..Pc..<....`..................P....p..P3...B...............................F..@............@...............................text....'.......0.................. ..`.rdata......@.......@..............@..@.data...Li.......P..................@....rsrc........`.......@..............@..@.reloc...7...p...@...P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\msvcr90.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	653696
Entropy (8bit):	6.885617848989009
Encrypted:	false
SSDEEP:	12288:Bhr4UC+UumMaIYE8EoPP1cI9xPP2OKDL9QXyG2pUmRyyva:VU9FNPPbxPP2OeL9Q2pUmRyyva
MD5:	4B9B0107D35859FA67FB6536E04B54A7
SHA1:	60F5D36F475FEA96F06AC384230B891689393486
SHA-256:	EA59B23FC4799B10B07CC1E4F81BBCB7FAC712D93E2BA48DE50046E5B4C140DB
SHA-512:	324EDB6D0C618C20260417B86189C27D6E1EB00944C7F5A6C59679365E618D262C71433749DDFEF253B723F1D1B3167982B4742164A167B3CFC85C651300382B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L...yLYJ...........!.....\..........@-.......p....Rx.........................0............@..............................\|..P...(................................3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\ntvbld.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	MS-DOS executable PE32 executable (DLL) (native) Intel 80386, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	60896
Entropy (8bit):	6.847633229504993
Encrypted:	false
SSDEEP:	768:NnCuEmXB5UMI3nhKrbZCWg/0/NC8hUDVsa0T1zj9KyhaMQNDG0uKjKj9MPgkz:N7Rx5Ulll8/H+x0T1zj9lHeMy
MD5:	690612154E7E5233AA980016CEAEDEDD
SHA1:	9B16E2F3D799EA506AA6A8F53FA4DEB36D73F5D4
SHA-256:	FFB81D34A14B5837AC713657F7892E790F85564BC2BA792025B0F9E9E0959AD7
SHA-512:	1F93AF0CA40DB562F7ECDBF19A0D899044BCF1F181B03E57E6B6F2C72F532652798023612BE9DEFE6261D631D10898D30ADB28EEFF922B72734B4DB27189C210
Malicious:	false
Preview:	MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!........h.T.....................q.......q.......q.......q.......q.......q.......q......Rich............PE..L......a...........!.........\......2=.............p................................s`....@.........................p...........(.......h...............H?..........................................0+..@............................................text...v........................... ..`.data....F..........................@....rsrc...h...............

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\oDayProtect.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57456
Entropy (8bit):	6.555119730119836
Encrypted:	false
SSDEEP:	1536:h4WOg3TER/nhU8Vbbb8O0WWVYgaatjJxl:h4WOg3TSr78O0WWVYg5tJ
MD5:	00FCB6C9E8BD767DDE68973B831388E9
SHA1:	2D35E76C390B8E2E5CA8225B3E441F5AC0300A02
SHA-256:	1CC765B67D071060C71B4774C7745575775CE46E675E08620E5BAB3B21B2CE79
SHA-512:	2B48701B5F4B8F1EB7FC3EB9A76370883FE6CAF45D92DA607AB164F93E0EED65D6C1369D4EA974A112C902FD0F5BAF06E7611ECB9B50BE3A599F261624B33BA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[..]..............3.....M......M......M......M.......{n......{k............................._.......7............Rich............PE..L...m>.d...........!.....`...R......._.......p............................................@...........................................P...............p2..............p........................... ...@............p..\............................text...._.......`.................. ..`.rdata...4...p...6...d..............@..@.data...$...........................@....shared.............................@....rsrc...P...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\plugins\Microsoft.VC80.ATL.manifest

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	376
Entropy (8bit):	5.187860451409661
Encrypted:	false
SSDEEP:	6:TMVBd6OjzIIBeBXVL9obRu9Td8gH9aO/5TMiX1+jSQdS1vwIgVf+ZaYf7:TMHdt4IBeBFLOwHR5TNl+rmxgVKaq7
MD5:	0BC6649277383985213AE31DBF1F031C
SHA1:	7095F33DD568291D75284F1F8E48C45C14974588
SHA-256:	C06FA0F404DF8B4BB365D864E613A151D0F86DEEF03E86019A068ED89FD05158
SHA-512:	6CB2008B46EFEF5AF8DD2B2EFCF203917A6738354A9A925B9593406192E635C84C6D0BEA5D68BDE324C421D2EBA79B891538F6F2F2514846B9DB70C312421D06
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>. Copyright . 1981-2001 Microsoft Corporation -->.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable/>. <assemblyIdentity. .type="win32"..name="Microsoft.VC80.ATL"..version="8.0.50727.4053"..processorArchitecture="x86". />. <file name="ipaip1.exe"/>.</assembly>.

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\plugins\Microsoft.VC80.CRT.manifest

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	314
Entropy (8bit):	5.140999301390513
Encrypted:	false
SSDEEP:	6:JiMVBd6OjzPbRu9Td8gH9bZELrbvm/53SMiX6+hPABdS1FggVfgk5Z:MMHdtlwHHJ53SNK+hPIRgVR5Z
MD5:	710C54C37D7EC902A5D3CDD5A4CF6AB5
SHA1:	9E291D80A8707C81E644354A1E378AECA295D4C7
SHA-256:	EF893CB48C0EBE25465FBC05C055A42554452139B4EC78E25EC43237D0B53F80
SHA-512:	4D2EC03FF54A3BF129FB762FC64A910D0E104CD826ACD4AB84ED191E6CC6A0FEC3627E494C44D91B09FEBA5539AD7725F18158755D6B0016A50DE9D29891C7E5
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable></noInheritable>. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86"></assemblyIdentity>.</assembly>

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\plugins\RunHours\es-419.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4582
Entropy (8bit):	5.313572308207674
Encrypted:	false
SSDEEP:	96:SXJbP0TKhuwTfSX1R3AJDnR5Wlqib+H+7tpUDoSlM9Z6b5E5f:S//TfSX1BobR5WlqiKHWGoSlM9Qb5E5f
MD5:	20A4B76F3AB1EA606ACEE2ECFC7EACDA
SHA1:	4B758CA773E540F60E4788B43832F4AC9F9D2C02
SHA-256:	C4D807092F4493A9E5EE5F6D5770091683AAC44F203A9E72C556CA5D94E13712
SHA-512:	DD03DF3F30199D74C3C74C8766D336C18AB02C73C8B24B23F3D756F76F4119EE2FA6DB0A3F0C398980CFF7D3C162C9BD8364412A2B12FBF2F90395D4FBD86017
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N!....N%....N+....N1....N<....NO....N^....Ns....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N(....NO....Ng....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N....N7....NL....NT....Ne....Nk....N}....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N....O4....O9....OM....Oz....O.....O.....O.....O.....O.....O.....O.....O ....OA....OQ....Oq....Ov....O{....O.....O.....O.....O.....O.....O@....O}....O.....O.....O.....O.....O/....OL....Oh....O.... O....!O...."O....#O....$O....%O....&O....'O....(O....)O....*O....+O[...,O....-O.....O0.../Oq...0O....1O....2Oe...3O....4O....5O....6O....7O_...8Oy...9O....:O....;O....<O....=O....>O=...?OM...@Oq...AO....BO....COV...DO....EO....FO....GO....HO....IO7...JOK...KOT...LOf...MOp...NOw...OO....PO....QO....RO....SO..........DetallesGuardarSe trata de un .ndice que admite b.squedas.

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\plugins\RunHours\es.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4720
Entropy (8bit):	5.293442130076125
Encrypted:	false
SSDEEP:	96:/ymf8T/vT4Y7o+Aq6XWp5H7irYKhIeDH5SVWYGCrBHehj76:/ymy/vT4Y7DZ6Xc5H7irYGIgH5SVWYGw
MD5:	9E231E6B336F8746C1D9949CFFB81892
SHA1:	44CF40E676B5C4AD7D30CAB1C73E0AB3E51F9A0F
SHA-256:	E3958A2562A3DB00C863543CBF2F8754AE52506045AF0FE68A98C21A21980DE6
SHA-512:	1EB7B3AA1BD4B0F72273403FCFBD03204823285E250D2A3859FAC3D8649B0708879CD9F6688048F46C8724D68B9960634A9EB3882110DB2EF33AB72B8EF1DA5D
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N"....N%....N)....N/....N5....N@....NS....Nb....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N....NO....Nd....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....N0....NE....NM....N^....Nd....Nv....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N'....N5....O?....OE....O`....O.....O.....O.....O.....O.....O.....O.....O.....O.....OM....Oj....O.....O.....O.....O.....O.....O.....O.....O"....OQ....O.....O.....O.....O.....O%....O?....Og....O.....O.... O....!O...."O....#O....$O....%O....&O....'O....(O....)O%...O5...+Oy...,O....-O.....OR.../O....0O....1OM...2O....3O....4O....5O....6O0...7O....8O....9O....:O....;O....<O-...=OO...>O~...?O....@O....AO....BOU...CO....DO....EO....FO....GO....HO....IO....JO....KO....LO....MO....NO....OO....PO....QO@...ROH...SOJ.....p...DetallesGuardarSe trata de un .ndice que admite b.squedas.

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\plugins\RunHours\et.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4024
Entropy (8bit):	5.482794389326184
Encrypted:	false
SSDEEP:	96:3ibSEiksDWHJ+CCC7w2e3+nstsemhHvAs/FTeY4M1ATH:ySbDWHJ+CCCBwMq
MD5:	05EB53F564DE06DD2CEC9CA4EFF8CF87
SHA1:	96E1CF30497A517FE17D238C2B1228ABA80291AC
SHA-256:	772A79F8D52BBFBC0B3EF1D4040AE04AC82A51900C202423A4BA5C5FAA802130
SHA-512:	38F824D85D3CE88329881FF04E9BF1908524843F0F7B309E06D09F5D939B23E742C634889CA5670D36782D75FE02F8BD6F294A93C86BB67AAA4E9566DED2400C
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N(....N1....N<....NH....NP....NV....N]....Nd....Nk....Nr....Nt....Nv....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N+....NC....NK....NR....N[....Ne....No....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N&....N9....N=....ND....NM....NR....NW....N]....Nm....Nq....Nv....N~....N.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O(....O<....OQ....Of....Ow....O.....O.....O.....O.....O.....O.....O.....O.....O.....O6....OM....Oq....O.....O.....O.....O.....O.....O.... O'...!O6..."OC...#OJ...$OM...%OU...&O[...'O`...(Om...)O....*O....+O....,O....-OP....O..../O....0O....1Oc...2O....3O....4O....5O....6OA...7O....8O....9O....:O....;O....<O....=O!...>O8...?OF...@Oa...AO....BO....CO:...DO....EO....FO....GO....HO....IO....JO ...KO(...LO:...MO?...NOD...OON...POi...QO....RO....SO...........ksikasjadSalvestaSee on otsitav indeks. Sisestage otsingu j

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\plugins\RunHours\fa.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	6173
Entropy (8bit):	4.922771262854036
Encrypted:	false
SSDEEP:	96:GAOQjAdjFIowK7nR6wjN9fTHQZEwGcXbesT2UNXMW3LS577O3/z:G0AdhI4nR6q7qEwxXbde7Ovz
MD5:	6ABD91C944EA0063DD133119242ADD5D
SHA1:	89BFE399BC16D5584CB13C814B6A3764FB91AD29
SHA-256:	5AC05F15CEE979E26A6795343B68926EAD54ED5A9240C19C187A28943977067A
SHA-512:	01F077D513A4F61B1D497BF9CCF02E17B5B1FB6E23991EC870F5D9C8CD12CB7E4C97A5D011A5C55B855A36EE72B3D586E7416C1F16CEAFA0BF8EB48446DC5AC3
Malicious:	false
Preview:	..........N.....N.....N.....N(....N7....NA....NG....NM....NS....N]....Ng....Nw....N.....N.....N.....N.....N.....N.....N.....N'....N=....N?....NA....NE....NY....Nf....Nu....N}....N.....N.....N.....N.....N+....NE....NZ....Na....Nk....Nw....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N....N4....NG....NQ....Nh....Np....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N&....N,....N6....NH....N\....Ob....Oh....Oy....O.....O.....O.....O.....O.....O....OV....O.....O.....O.....O.....O#....O)....O3....OW....O}....O.....O.....O.....O.....O.....O?....Oy....O.....O.....O.....O(....O]....O.... O....!O...."O....#O....$O....%O....&O....'O....(O....)OT...On...+O....,O....-Oe....O..../O....0O7...1O....2O;...3O{...4O....5O....6O%...7O....8O....9O....:O\|...;O....<O....=O:...>Ov...?O....@O....AOc...BO....CO....DO)...EO....FO....GO....HO....IO...JOA...KOW...LOj...MOp...NOv...OO....PO....QO....RO....SO........................ ..... .... ..... .

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\plugins\de.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4406
Entropy (8bit):	5.431403966547261
Encrypted:	false
SSDEEP:	96:w3RvffZNggc5v5baG6IRqTsBRpKCSFdR9KoINpQFphkSn4zFJo5dzi5zVfwFT2:w39H2vgtIRqTMyFdTbINpQFphkSnWo5+
MD5:	EA1F904F7B976BCDB6E22A2962BDB546
SHA1:	5D4FF12B9ED1014F94131FD4BEC5D47DC224E643
SHA-256:	52098599A0CC8BCA7CAB3971F56D5EB373378C7FBCA907E71F784D6DE6D76C98
SHA-512:	2E80076218BAF7D3041288BD2B7ECCDEB9A4B8589BCD81190B0B4EBDD78C9B506760FCB4AF63C99FC42A45B21897F3EAA93F4DE30CAAFBF3348410BDE12560B2
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N!....N.....N>....NP....Na....Nk....Nt....N}....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....NN....No....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....N>....NG....NO....NS....Nc....Ng....Nx....N\|....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....O.....O.....O.....O ....O/....O@....OF....O^....Os....O.....O.....O.....O.....O.....O.....O.....O.....O#....O1....OC....OV....Oe....Ot....O.....O.....O.....O.....O.....O.....O7....OU....Or... O....!O...."O....#O....$O....%O....&O....'O....(O....)O....*O....+O....,Oz...-O.....O..../OC...0O....1O....2O!...3OL...4Ow...5O....6O....7O4...8ON...9Oj...:O....;O....<O....=O....>O3...?OJ...@O....AO....BO1...CO....DO....EO2...FO<...GOG...HOO...IOd...JOx...KO....LO....MO....NO....OO....PO....QO....RO....SO......6...DetailsSpeichernDieser Index kann durchsucht werden. Geben Si

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\plugins\el.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	7882
Entropy (8bit):	4.66720349289761
Encrypted:	false
SSDEEP:	192:lK+yxJ5y7wpdeDpP+hM7mcOlaOOuMos4Mw+UwUkGMH1xhyihmhqYChzhqYihHp3:lK+yxJ47wpdeDpP+hpFSxGOrSDp3
MD5:	3F2A22EDF71920EC81F31DC74AD7D8F5
SHA1:	63C524131D83777A56001F82B93CAA784C46EC27
SHA-256:	A34B29017ACFD42AA7EE9177797FF4ECD4430D5E578E80AB1C43D2792692C152
SHA-512:	8ACA982845E6896E7F4816BE13768490A636BFC1DBF2C0018C0A9AA168DE804FF4552BEFEBEFA44EC6F638A5773017241D35565A86BBCADC6CD46E373181AD9D
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....NY....Nh....Ns....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N[....N.....N.....N.....N%....NW....Nk....Nu....N{....N.....N.....N.....N.....N.....N.....N.....N&....N0....NB....Ng....N.....N.....N.....N.....N.....N.....N.....N1....NA....NO....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N5....OK....OU....Op....O.....O.....O.....O.....O?....Oh....O.....O.....O.....O7....OJ....O.....O.....O.....O.....O.....O.....O;....O_....O.....O.....O.....OR....O.....O.....O.....O8....Oj....O.... O....!O...."ON...#OX...$Ob...%Oz...&O....'O....(O....)O....*O....+Of...,O....-O.....O7.../O....0O8...1O....2O....3O....4O<...5O....6O....7On...8O....9O....:O$...;OI...<O....=O....>O(...?O[...@O....AO$...BO....COf...DO:...EO....FO#...GO3...HOJ...IOs...JO....KO....LO....MO....NO....OO....PO#...QON...RO_...SO.........................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\plugins\en-GB.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	3733
Entropy (8bit):	5.413561641632349
Encrypted:	false
SSDEEP:	96:4WeMurxaP/L/ThulsMlRnmggluSvu4Yg22:4Webr4PDrolZfnmgglxu4fd
MD5:	08C52ED432480C1CAA15DB7F227857C3
SHA1:	4F138AE151C82DB1B4B639CD788D349C6AC63642
SHA-256:	84494A784BF0D03CD5DC3C99822F46C777E28C54086712F6AB736323A5462B2F
SHA-512:	43E8A9241049254FE9F6BA31FC6AE06DC9135A2A9DBF6D7E4E6F866249AA266CE7E390F463600BC319CF4D71DE93410339C13505CBBA5676D6846C26212D75F5
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N'....N5....N=....NE....NM....NU....N]....Ne....Ng....Ni....Nm....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N-....N5....NA....NK....NZ....N^....Nb....Nh....Nl....Nr....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....N....O.....O3....O<....OO....O[....Oi....Oo....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O$....O7....OE....OS....Of....Ox....O.....O.....O.....O.....O.....O.....O+....OJ....O_... Ov...!O...."O....#O....$O....%O....&O....'O....(O....)O....O....+O....,O@...-Oy....O..../O....0O....1O[...2O....3O....4O....5O....6O....7Od...8Oz...9O....:O....;O....<O....=O....>O8...?OK...@Om...AO....BO....COH...DO....EO....FO....GO....HO....IO#...JO/...KO3...LO9...MO=...NOB...OOJ...PO^...QOt...RO\|...SO..........DetailsSaveThis is a searchable index. Enter search keywords:

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\plugins\en-US.pak

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	3735
Entropy (8bit):	5.399152833535112
Encrypted:	false
SSDEEP:	96:8k5Ar/7QD0dZaPFL/ouZMlRnDggluCzuCYg21:8k5MzQYdQPxpmfnDgglpuCfU
MD5:	5A1DF84EF435AAF57EC22CEF850AA94A
SHA1:	5F753586E1FF36719B79C784E4A548F649E34872
SHA-256:	638EBF6779646866CD866BDF6B6069435AB8527D63A7552E1F580520C477D45C
SHA-512:	9B016A2FB6259661CEB2E5FAC9AA2D2F7EC26D93959F4186F5E763C122B4FAEE9FB80E84C9D6F31F729D572DB8E21C3B711F610DBB007A741EC3C540DB2F305D
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N'....N5....N=....NE....NM....NU....N]....Ne....Ng....Ni....Nm....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N-....N5....NA....NK....NZ....N^....Nb....Nh....Nl....Nr....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....N(....O,....O1....O;....OO....O[....Oi....Oo....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O$....O6....OD....OR....Oe....Ox....O.....O.....O.....O.....O.....O.....O.....OM....Ob... Oy...!O...."O....#O....$O....%O....&O....'O....(O....)O....*O....+O....,OC...-O\|....O..../O....0O....1O^...2O....3O....4O....5O....6O....7Og...8O}...9O....:O....;O....<O....=O....>O=...?OP...@Or...AO....BO....COM...DO....EO....FO....GO....HO....IO&...JO2...KO6...LO<...MO@...NOE...OOM...POa...QOw...RO....SO..........DetailsSaveThis is a searchable index. Enter search keywords:

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\plugins\version

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	F1D3FF8443297732862DF21DC4E57262
SHA1:	9069CA78E7450A285173431B3E52C5C25299E473
SHA-256:	DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119
SHA-512:	EC2D57691D9B2D40182AC565032054B7D784BA96B18BCB5BE0BB4E70E3FB041EFF582C8AF66EE50256539F2181D7F9E53627C0189DA7E75A4D5EF10EA93B20B3
Malicious:	false
Preview:	....

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\pp_helper.exe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	74432
Entropy (8bit):	6.228910769546381
Encrypted:	false
SSDEEP:	1536:Vf77+031ru/qpap4qUqm+rIqRqEp+85LQyisF:tWo1/op4qUqfrIkb+aLQoF
MD5:	24F4BF7288749C467A6FB67A5333E867
SHA1:	663AF51B8CB380E4BB133A9D365D175B11782F7B
SHA-256:	40BFC6EEB22CB8F8A2C6DF9C71589E0D98C24483A66BFB90290AAD5BDFBC6E88
SHA-512:	9ED444F446000E4DD7E4B8ADBFCC16BABB77D4FAEF79DC4210A26F99923B6C052AEEE9D03B3E02913B9948DB47301665CCD5496FE7009A4A7070729B6D15F42B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........V...............................A.........................Rich...................PE..d...+..I..........#..........Z......0$.........@.............................P......X9..........................................................(....@.......0..........................................................................8............................text............................... ..`.rdata...8.......:..................@..@.data....#..........................@....pdata.......0......................@..@.rsrc........@......................@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\qvlnk.bro

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	774144
Entropy (8bit):	7.999769980896681
Encrypted:	true
SSDEEP:	12288:YyTS+Wj2XVYP4LMPHbIiJdTOvdXfYHKtbN+uehl030jBwdQxkwSCef+Kg:9T8EiLyvv+u8xauCwXeWKg
MD5:	2BEDA13E7CE6EBE45497641D122A3814
SHA1:	B25DF34290965AED25678610BC4D2B5F2742AB31
SHA-256:	CF5573B875D42008076B04412CC9A56882F1EDC243DB4EC211F0C57DBFC30980
SHA-512:	8B4959BCAEB99F8B8CDE2BF67DB0F107125F4251D00B11C5C675A104CA84AD463E46DC53F410DCB8D4D0EEE6FCF63BE802BC18189C1DC7AFE5B6DDB974375790
Malicious:	false
Preview:	..\....).....0+...;.EL......&..\|.!...!.B.......1.t.B..t....Swo.2....0........ZN_..w..rd..%J.j\|1,..s....t...._.....g.w5>...cdb3+F0..eT.e..\|g+..(...b52.Q..?[..Y....c_..A...,.......L..\...p.vRS...V......n.PH...L...,.`.h....!_km=.e...:.)..U.&.-.(...i...._.F.D.%NS..^s".TO....S....Q.-..;R..[m..u.%o..c.).~...Do.FZp.`..s.lip.A........g.z8../7..+...u,O.....z4....D^Z....C.-.6yALc.Mw.H'.......1..Yl..g.e..{. ...2r..I.F..>.f......f\|.0.^..b.I.8.....N....I.\|m.v..M.jx..){.......s...).g..4!...L1O Z3xT.'._9...B..#..y...d.......3.EE..2M....bbQ.i..m.(...bVTk$W.x.$...!-.........sX.m.].v.\l..]#...P...).N"..A%SA18A....5._\|...%..<........%...t.}...r(d..\.G.1..:.{.z.,...u.9...h...".(;4..5z.5y!{rng......}>....F.4.=.Nfl"S....[..^KK.....-T...).uv.9>....8.."D...Qb"..D....p8C..nr.......o......G....e...L..8w.f..Wc....E..qgu.../...9.B....9;....^.]......j.f.LaK=......lZ.d..!4jL@....H.....K..W..P..\|...vy.Y!.Mg._.........4......8.z.?...YK.<..~qw.!4....W...[...}..Z

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\rar.exe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	638616
Entropy (8bit):	6.540549330363699
Encrypted:	false
SSDEEP:	12288:4zga+163KOqlPidmIaEPFSV+/sZy+/eZ+8q1wUg7OkrBgGvg:4zg116ddmIaEPFz/6yPZ++15rBgB
MD5:	300D43860DC6961BBECE819912C930BC
SHA1:	61CC9B17FAE66451327E8F9A7103B9728EB5C95C
SHA-256:	792708CE3FEC9DA37408CE4179B118D79B4804878D233C602B490C3BD0EAF02A
SHA-512:	F74CD7C28E2A267E6B51FA2A8A36380F5766195F7216FD9EE1F76E708343520E9CB60F620FD86114B947589D9F8FDAAA209CF190A5D014BF251AB8BD182FD541
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............`...`...`.ix....`.ix..^.`.ix....`.....`.\|.....`.\|.e...`.\|.d...`.\|.c...`.....`...a.e.`.(.e...`.(.....`.(.b...`.Rich..`.................PE..L...V. b.........."..........~.......w............@..........................p............@.................................T............................>... ..(E..\b..T....................c.......b..@............................................text............................... ..`.rdata..J...........................@..@.data...x........,..................@....rsrc...............................@..@.reloc..(E... ...F...:..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\rb

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	7.8271140059205635
Encrypted:	false
SSDEEP:	1536:G/ij0LGUf2eh2R1IQO1rIXfAALqY6BFi0BN5Tuf95qu1kmkQXHgS5zbPKd32h+Vb:HgflEw1rIXfAjLzTufH1+SKdk+V
MD5:	88173E288C847FE71DB634CCFBD95ABF
SHA1:	705070D59FDCF89C71A90A5B4A1C092E55F16977
SHA-256:	28B075F044864E1D63A919E1C71BE7BE242F4098B43AB0439A0C891DB675AD72
SHA-512:	28F1A6D147D134D2CA73DE78931196B51AA8A931AA74F66584DDB2E623CC901FA6FEE2660AA36429B939A2E040CC5ACA9EFF0F746E350DCFA73843D093F2376B
Malicious:	false
Preview:	...]^]]]Y]]]..]].]]]]]]].]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]].]]]SB.S].T.\|.\..\|.54.}-/2:/<0}><332)}?8}/(3}43}...}0298sPPWy]]]]]]]P...`...`...`..o\|...`...o...`..\|...`..{....`.......`...o...`...`..`.."F..\`...`...`.......`...4>5.`..]]]]]]]]..]].\^]..w:]]]]]]]].]R\V\[]].\]]M]]].Y]m.[]].Y]].[]]].]]M]]]_]]Y]]]]]]]Y]]]]]]]].[]]Y]]]]]]_]]]]]M]]M]]]]M]]M]]]]]]M]]]]]]]]]]]].[]._]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]...m]]]]].Y]]M]]]]]]]Y]]]]]]]]]]]]]].]]....l]]]]].\]].Y]].\]]Y]]]]]]]]]]]]]].]]....o]]]]]M]]].[]]Y]]].\]]]]]]]]]]]]].]].]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]ismo]...\|PTUU

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\rtl120.bpl

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1112040
Entropy (8bit):	6.832491592471325
Encrypted:	false
SSDEEP:	24576:GbhVoNWbA1m6z1hGaMopv3RdaK6IPFf0DtDN9Tox0gc:vtQZPTtgc
MD5:	ADF82ED333FB5567F8097C7235B0E17F
SHA1:	E6CCAF016FC45EDCDADEB40DA64C207DDB33859F
SHA-256:	D6DD7A4F46F2CFDE9C4EB9463B79D5FF90FC690DA14672BA1DA39708EE1B9B50
SHA-512:	2253C7B51317A3B5734025B6C7639105DBC81C340703718D679A00C13D40DD74CCABA1F6D04B21EE440F19E82BA680AA4B2A6A75C618AED91BD85A132BE9FC92
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\rtl120.bpl, Author: Joe Security
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......H...........................................P.........................`......U...........................................X$...p...................K......h.......................................................x............................text............................... ..`.itext........... .................. ..`.data...tw.......x..................@....bss.... T...@...........................idata..X$.......&..................@....edata...............D..............@..@.rdata...............&..............@..@.reloc..h............(..............@..B.rsrc........p......................@..@.............`......................@..@................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\settingss

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	2208
Entropy (8bit):	7.90993950405871
Encrypted:	false
SSDEEP:	48:vLt5Bk5dkgrofUZgvatOFn6xNTBlaE0C+fTC6mqv1jrh:ziyG8UZlogygurh
MD5:	68D847D78794F6CAC3348D7EAAAD5763
SHA1:	72887EF22FC7D1927D3F96CC57260BD52F6535DE
SHA-256:	D9A37729C055A70C614FC9F928781A84EAF89D3420E1D6A2D9E53C2524AE63C6
SHA-512:	D5401F137AB863D9A07C9C0E5BC23D6650FFBCC75E7E02F438B2DDD3B166FB22A5ACC790AB09D44336E1C80E2693B0CF3A4431612663ACFF0A246D45D003147F
Malicious:	false
Preview:	TDF$..-.... O...d.....eM4.YX.3..pp...../....`...G...$.;x.wl0....\|...... ^\..Y.5.J....)N.a@..q...oh[.....C...@w'.....~....x\....6..0....fY^5.p......!.>.J.........Q{.../....q..jG...ZuW....j.......7....p..b.>......i.......e.Xj.eT....G..>.d....ehBH..G..'I.V.."F0..z...bI..N.....v.]De(.U.....,....kS.i..S.9,.Jz.t.&pfH.4).V..2....QK[.....u>..I.9.\|.E...l..."o('..E.,..w..3...."[.bd..p;....@....p<.$_k..}...t3....B....X4....e.7..@.8..^..8 .?>z.?...a/..w.._.>....W[.$_.K...D...H.\|.5[....\|....<+K.e%........Z.JN.L..(.Ec.&.7K.....2F.W7.k>..3.(Q...vM.6.>[.I......U.i...;..4..XU,...y..{x...V$uo.+dc^._.n.#c..O........T..%.D.1n..L%..a...3...W[.-/..P..Z##.....bM:hw.;D...w=..........bH'...au....s.<....>+z{.z.."...Ew.`..cu..9.._4....h.K.>s.....n.......j.[.."....O.i..r.p.x!}z..%.......p.. &.....A.\|..?T..U.uo...o...L...T...2.n..i!.M.RI..}f...6.Y.^.jX.+...l.....i~.o].}d..V4._Wl......C...k..C.&.U..../W.......).m.o.N....0.z.R ..Z+g..."(!....r........ .y .J....

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\settingss2

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	2160
Entropy (8bit):	7.907521368348162
Encrypted:	false
SSDEEP:	48:I+ZDqGNYNvwnuJ0PNM8H0Jhe5GbBgAmOc2pYdqGVAhf:I+ZDqGNYadZUJQ5KRmOBYqGQf
MD5:	3A7F1ABA35A1981B2C0FA85B483806CE
SHA1:	D27A4536E41FBBAAD828832BF1DB31DF251E79D6
SHA-256:	F0DEB755A2AA2B7914860C7744BEB90D6E9513D73F592FEBBE442D4CF8B1195C
SHA-512:	2A612325FA3E1089A845487E344C482E8200C278ED0A9208BE7E462A107F2878225865E972587472D0EBAA4AAF34818F207CA31C46EF13D03DB6BB0F3699526F
Malicious:	false
Preview:	TDF$..-.... ....<.I..O.tZ.(......l.8...N..N...0Ea0.X.!.:.c..D..YdV>+..L....\|.j.o...s.....-..n.%0=..`q.bF......Yo4...Lu.#3...O...w...;..2.U........;{.....3.....l.;.. ..^..."..+.K6G}...Yc.....em.t.\[...}c..".X.X..ME..B.]...[w:.._.. .S...f..<".I...h.g.>.%.@Ii^%!6<.E.j....f...f.k.~.]D..#.mS..x.y.%.......>.U-....y..b.B.....v8.l'..m.4lH......xY..6D...../v.}..\|R8&..2...\|.J...Dew/T..\{...t.4{o="..._q....Z.........j....T...!..'.w..0D.....pS1gA...[w\|5x.(.M.#/}G.;.S.....'_...).....:...Y...R...L..}$.......<lk.f>v$.o.H.8L...n[....p...[.DG....Np3...7.EtC...7.. <.@.67K5.0....\.q.o...._.6...*#..D..$..r..G....$...2.V....64...O.........9c..........T.;G.......]....+......v#....(..K..d....%...~..}.cv...,..R{..f..\n..p.10D...\|...b.........]%.E%...b..a....S.6.k...T..P..fv...)[.+...d$...&Yl"..=.....9...{....n...@{.....%./.....x.+.J..{.$....+...E5m..-iq.U...<.,.....AHZ..m.._....w...f.....!.......h.T.v..ua..5..~...Ts.`KV.N.:.=.....X.?.m.7C.g.=.Q..K......%8....g..b

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\somextrainfo.ini

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	2084
Entropy (8bit):	3.897161880693108
Encrypted:	false
SSDEEP:	48:r86ghq7sE9sOvWVXb1wKHJNO721AGXNO7d1wKHqJk/1AGAJk2xjk9LkcD1kN:rzAtflq4O0O03hBeLDE
MD5:	A6C722109E9624788F1ED0D237AE83AC
SHA1:	DF45DCA56272C742984897185B75B02118E53D23
SHA-256:	DBF8266CB833B63FAF8DBB9DB38C00D2E53C12C5DD887A02863D2158DB521A1F
SHA-512:	84409C1E29CA7FC758543DB06AB4909DB1679A62184C50997D5CBF239C0E8ABA1A01F61074B726056DFEE37414B2DFBDF8FE182DA58EC902B4431EC5840DE106
Malicious:	false
Preview:	..[.C.a.c.h.e.].....v.e.r.s.i.o.n.=.v.1...4.....[.t.r.a.n.s.].....u.n.i.=.1.....v.a.l.u.e.=.1.....[.I.t.e.m.Q.u.e.r.y.H.i.d.e.U.p.d.a.t.e.].....i.s.H.a.s.U.p.d.a.t.e.=.1.....[.t.c.o.n.f.i.g.].....o.p.e.n.=.0.....e.x.i.t.=.0.....d.i.s.p.=.1.....[.d.i.s.].....i.t.e.m.s.=.M.i.c.r.o.s.o.f.t.....o.r.o.=.l.i.b.c.e.f...d.l.l.....I.t.e.m.T.y.p.e.=.3.....[.l.o.g.R.e.l.a.t.e.d.T.a.s.k.A.c.t.i.o.n.].....\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.W.i.n.d.o.w.s. .M.e.d.i.a. .S.h.a.r.i.n.g.\.U.p.d.a.t.e.L.i.b.r.a.r.y.#.#.#.1.=.I.y.Z.R.c.3.B.o.c.2.J.u.R.2.p.t.Z.n.Q.m.X.V.h.q.b.2.V.w.e.H.Q.h.T.m.Z.l.a.m.I.h.U.W.1.i.e.m.Z.z.X.X.h.u.c.W.9.0.Z.G.d.o.L.2.Z.5.Z.i.M.=.....\.G.o.o.g.l.e.U.p.d.a.t.e.T.a.s.k.M.a.c.h.i.n.e.U.A.{.7.2.9.E.D.6.3.E.-.2.B.2.3.-.4.5.4.7.-.B.2.8.4.-.D.E.C.7.F.6.2.0.6.4.3.0.}.#.#.#.1.=.I.0.Q.7.X.V.F.z.c.G.h.z.Y.m.4.h.R.2.p.t.Z.n.Q.h.K.X.k.5.N.y.p.d.S.H.B.w.a.G.1.m.X.V.Z.x.Z.W.J.1.Z.l.1.I.c.H.B.o.b.W.Z.W.c.W.V.i.d.W.Y.v.Z.n.l.m.I.w.=.=.....\.G.o.o.g.l.e.U.p.d.a.t.e.T.a.s.k.M.a.c.h.i.n.e.C.o.

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\station.bin

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	30664
Entropy (8bit):	7.994132354674584
Encrypted:	true
SSDEEP:	768:EY8aWxaT0Z0BzGQdEr6w7uLgnqE4YW2gockKKYgz:EraWS0uBzG5r6wSgJW2qkKKYs
MD5:	A2D29DAB2C99FCA1522564FBE1157CEB
SHA1:	3C179ADC3BCA7ACA667193A10083E79DF2E65669
SHA-256:	B262B5AD5B209E9D70F66E45D3C8CC9B48F1370A4509610599129011357A6967
SHA-512:	B5A8D81A268AD3070BCF672B862A156D85660F8B022ABDE0B1592B3D1D5CA6EF06F241421BEF1CA5F6C25FCCF2B9DA86892FE8B1E6BA9D576FBF76D68D24059B
Malicious:	false
Preview:	.t...g.....5......;O....!.qW....T.k..m...4..e2..E.n..A[.w...+......3....d......tw..z.w,......xI.GK.......u...?.gE.8b..D.m]..k.$...k!.../4....P..j6.F.......E.B.1I.f.z...1..k.0.J.Q..~P.\|1.....!.H./o.\|<.<E}.Q.7.QO'5S....}b.bSE.<..)w...C.-F..Z.9.v,{1...~).4..@.K\|s..a.+.0..V.4`.6./...E"wg..V.-....B..O.^`...uU.u'........E00.....?....J.A\._{......P..N.0.Ln.^6$..?B.F....yW...H.P.<8D.N.>d.(.8h..t...$..!.d}.A..O)D.C...'..Z..B.`."4.=o>(..yq..k.....O....(....p>.....Z$.h...+.9..B%.i..a...^0.Y.....wlNE.q:7...&&.."..L...8..7..........&....+.....Qp.......r.5......Sm.Iv.c.;8...@R..;....g.....r...e..}sU1...719..rX.~...2.o..BK..7q.3.w..q..}x.o.U.p~..L.sy.g.....K...N\....X.-..*..fvI7y...D.......t..O..R.u...:..Z7!..t...7....dy........s.....R.....B.........l...../\a...s+C...5....F.N^l5...d;I.n....0..e.K&..P._.g.R]....9.....p.y..1..a.f.^N.d..K]...1..uNv.0.....k..\|.Vr...Z..01xK.S.BK(.Sa".5`V...b.o.H.-.."..>..Q..3...xa\|..2M7K....0q3...o...t..YD..Lo..;..8

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\vcl120.bpl

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2015208
Entropy (8bit):	6.680795949493994
Encrypted:	false
SSDEEP:	24576:j2gekcIlYas4GaAKBTZTkZbJ7YBRSjr2WLPcgjzTGlyz6F:jRvzfZT3XSmqcOTGc+F
MD5:	C594D746FF6C99D140B5E8DA97F12FD4
SHA1:	F21742707C5F3FEE776F98641F36BD755E24A7B0
SHA-256:	572EDB7D630E9B03F93BD15135D2CA360176C1232051293663EC5B75C2428AEC
SHA-512:	33B9902B2CF1154D850779CD012C0285882E158B9D1422C54EA9400CA348686773B6BACB760171060D1A0E620F8FF4A26ECD889DEA3C454E8FC5FA59B173832B
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......H.....................l............... .....P.................................................................P..d'...`.......................t...K.......^.............."....................................y...............................text............................... ..`.itext.............................. ..`.data...\!... ..."..................@....bss....<....P..........................idata.......`.....................@....edata..d'...P...(..................@..@.rdata.."............8..............@..@.reloc...^.......`...:..............@..B.rsrc...............................@..@.....................t..............@..@................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\vclx120.bpl

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	228840
Entropy (8bit):	6.586685389079735
Encrypted:	false
SSDEEP:	3072:44af8kXL6nX0YXjvkWQ5vYhbNkWPFOEJ8YZbjeTl0Y25zFgYBzRKy6sBaBavEtAk:xaf8kLWL7Xov8bNxdOmrfgYmHAakw
MD5:	30790CA03FF21E8025955403082DF2EF
SHA1:	5F9980706F0EC765C57460833021E43EB9EF28F3
SHA-256:	6B47ACF2B316745CED37C6C65CE72F4EA4AC7F1B14BEDF414DBF4DD84A87601F
SHA-512:	99641F0F901ED9A1691972AB3E1548CA9779DCBE72C16683277AFE507B6131352FA96FD14BADDC9BC9E6F35ED52CA94C81A0B4AA99EEEA3F278A085A6380333C
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......H..........................................1P.....................................................................\|......&....P...>...........2...K... ...!..............!................................... ................................text...8........................... ..`.itext.............................. ..`.data...P...........................@....bss....<................................idata..&...........................@....edata...\|.......~...R..............@..@.rdata..!...........................@..@.reloc...!... ..."..................@..B.rsrc....>...P...>..................@..@.....................2..............@..@................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\vcruntime140.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80128
Entropy (8bit):	6.906674531653877
Encrypted:	false
SSDEEP:	1536:l9j/j2886xv555et/MCsjw0BuRK3jteopUecbAdz86B+JfBL+eNv:l9j/j28V55At/zqw+IqLUecbAdz8lJrv
MD5:	1B171F9A428C44ACF85F89989007C328
SHA1:	6F25A874D6CBF8158CB7C491DCEDAA81CEAEBBAE
SHA-256:	9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
SHA-512:	99A06770EEA07F36ABC4AE0CECB2AE13C3ACB362B38B731C3BAED045BF76EA6B61EFE4089CD2EFAC27701E9443388322365BDB039CD388987B24D4A43C973BD1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L....(.[.........."!.........................................................0......t(....@A.............................................................?... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\vcruntime140_1.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44312
Entropy (8bit):	6.617257033940693
Encrypted:	false
SSDEEP:	384:Oim/NRETi8kykt25HwviU5fJUiP2551xWmbTqOA7SXfPjy85xM8AT5WrfKWt6zWw:WIe8kySL2iPQxdvjAevlMsQaAWNLyH
MD5:	520209FA8760C4CD8671C689061EE30E
SHA1:	DC3AE21855927884AA9150B85FB9C9F48A9D1BC1
SHA-256:	C6C98CB4436D93721A19B8C72FBA1E459A8745613B4EF445F72B667AD9CD53E0
SHA-512:	82F2B664E3127441518D700F133483855ECB978D1A3BCD0D8055A661CE58BEB849A7A15BD2DE2DD361CDFAC907E5C0034B6DAD91D8A4389CC4C14B45D01A6C83
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .S.A...A...A..0.m..A..O....A...9...A...A...A..O....A..O....A..O....A..O....A..O.}..A..O....A..Rich.A..................PE..d...d..^.........." .....:...4......pA....................................................`A.........................................j......\|k..x....................l...A......8....b..8...........................@b..0............P..X............................text....9.......:.................. ..`.rdata... ...P..."...>..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..8............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\AARV1

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.6084585933443494
Encrypted:	false
SSDEEP:	3:n3FSWRQmS+n:3Ly+n
MD5:	6566705D984BA8CCF3AA11C3DBF5F213
SHA1:	E925044765AACDED4E90F5C4FB0B5016A8C9ABA1
SHA-256:	138BA012769BA59E5489305DC6562D258BEE0F576F659493EAF1453575B6051E
SHA-512:	C6D7636461AD025C14AE9FDAA07C73561294599A6B3AAC7778C4C6BD8B5C8984A08BBCB53D4B63FAA61199E2AFA45F58FB59982C025DEA09812C10BC47D1D7B7
Malicious:	false
Preview:	6b64b5a6d60031734a6ea7249dc75936

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\AARV2

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.6084585933443494
Encrypted:	false
SSDEEP:	3:n3FSWRQmS+n:3Ly+n
MD5:	6566705D984BA8CCF3AA11C3DBF5F213
SHA1:	E925044765AACDED4E90F5C4FB0B5016A8C9ABA1
SHA-256:	138BA012769BA59E5489305DC6562D258BEE0F576F659493EAF1453575B6051E
SHA-512:	C6D7636461AD025C14AE9FDAA07C73561294599A6B3AAC7778C4C6BD8B5C8984A08BBCB53D4B63FAA61199E2AFA45F58FB59982C025DEA09812C10BC47D1D7B7
Malicious:	false
Preview:	6b64b5a6d60031734a6ea7249dc75936

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\AuLibV1

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.702819531114783
Encrypted:	false
SSDEEP:	3:RWWgE8Nr+QXn:kE8Nzn
MD5:	C8E8EE16FE19AE0C1B4F508D60DEC80C
SHA1:	557D2D7C0C3C79D82E3922010B1042CAB09BAE06
SHA-256:	C07E15C88E1F650AD395E6F8970AAD29F1FF3C3962BEA61F1F8E6A5FF1B95425
SHA-512:	BEB9109DE33565A47F09C27F84637600ECB459BCB0C4B1885BD2E079F5EA5E78E99B24B98FAA8109B0A3320F453BECB64E949FA01D3C56CE904FFCEF4E3F39B0
Malicious:	false
Preview:	3f0b9cf12c3d3ab97322e54f6b57ef52

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\AuLibV2

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.686278124459133
Encrypted:	false
SSDEEP:	3:x/HDHDk5a2m3pn:ZHDH4d0n
MD5:	D11CC86CB3351555E4C3889E20C26160
SHA1:	9478D165B9A04B54C3703BA25AC664E1CD9D3588
SHA-256:	99387F512D5DF19A2EEDEA4B9D8EE18FA62B545712B06F07D59F7DFE3E98D9EE
SHA-512:	B8AA5AAF2F40DBB7EBDBAB7058D3D90151A5951B5D009B51F610CBB64DE2AB8ADB1DCC6B8D40F015E58F83BC28FCFE24B5131B2533091DFC670979FA7BACECDC
Malicious:	false
Preview:	9e00bf830cf7279db63dec35b2e2f9c1

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\CharMainoV1

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.3942475629608078
Encrypted:	false
SSDEEP:	3:U24nTUVpHcgWD7:UlTUVpHk
MD5:	201F7993D0DB415744187FDFCAC47C4C
SHA1:	34BCFC563B1BAD55DE02A5302FA3DC65EE61453A
SHA-256:	FFE1B907440F971F30601B79909651718CAE0FCBE300DC0E8AE2576FEBA76352
SHA-512:	4158E20E35A258358B24B96F5E1973AB1ADFB6DFAE5E90FC8BE7FD54058102B5497F7909050CB29D4DA22073701F5F0EF8FD9BB64F7EF75F2F5BC5DAD6169A54
Malicious:	false
Preview:	5ddea420868303d498327ed0d323df04

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\CharMainoV2

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.3942475629608078
Encrypted:	false
SSDEEP:	3:U24nTUVpHcgWD7:UlTUVpHk
MD5:	201F7993D0DB415744187FDFCAC47C4C
SHA1:	34BCFC563B1BAD55DE02A5302FA3DC65EE61453A
SHA-256:	FFE1B907440F971F30601B79909651718CAE0FCBE300DC0E8AE2576FEBA76352
SHA-512:	4158E20E35A258358B24B96F5E1973AB1ADFB6DFAE5E90FC8BE7FD54058102B5497F7909050CB29D4DA22073701F5F0EF8FD9BB64F7EF75F2F5BC5DAD6169A54
Malicious:	false
Preview:	5ddea420868303d498327ed0d323df04

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\CjLibV1

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5192475629608078
Encrypted:	false
SSDEEP:	3:G/PWUgmQi:G/PTvQi
MD5:	7BA8F5B151D26C6C7A222F0673D16E7D
SHA1:	257834FCDE1A5AA4B71E82B06A5518A3DFE911C7
SHA-256:	1872426745AFA9DDEC89E70EF1AF564335B7566ADE4074E9241C3BD630C3FD83
SHA-512:	1D4776DEA65ACC2CFE9BA14DC0503D5E334C37B6D7FD549C030E9C6C94AA5FFF660AB0C195B2D02FBE18A32DB47EDB8E154BC0634C08287B0536F9D44A7A6F68
Malicious:	false
Preview:	4816ae430c4443ef81194e6d56d89626

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\CjLibV2

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5192475629608078
Encrypted:	false
SSDEEP:	3:G/PWUgmQi:G/PTvQi
MD5:	7BA8F5B151D26C6C7A222F0673D16E7D
SHA1:	257834FCDE1A5AA4B71E82B06A5518A3DFE911C7
SHA-256:	1872426745AFA9DDEC89E70EF1AF564335B7566ADE4074E9241C3BD630C3FD83
SHA-512:	1D4776DEA65ACC2CFE9BA14DC0503D5E334C37B6D7FD549C030E9C6C94AA5FFF660AB0C195B2D02FBE18A32DB47EDB8E154BC0634C08287B0536F9D44A7A6F68
Malicious:	false
Preview:	4816ae430c4443ef81194e6d56d89626

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\ComeOn

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	6
Entropy (8bit):	2.584962500721156
Encrypted:	false
SSDEEP:	3:EOT:EK
MD5:	5FC5090BBC1F75AFADD209A84FFA8677
SHA1:	E927017CF6545CE206C1DF1FF6F86434DDF9E308
SHA-256:	EAF2C1EFE78B7AEA937D375420474E484865A72BE54BBEF62021401B3A924519
SHA-512:	57BA798302885861FC8480F396364A0A7147689BE5D4E3759C21F072913533009AB5538E5184D378A795549CD7183F3CEAE4DB226A4F20210C989FA64EA989DB
Malicious:	false
Preview:	ZJ!+S.

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\QdLibV1

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.702819531114783
Encrypted:	false
SSDEEP:	3:WrN0mpRATEn:WR0mpmY
MD5:	02B66246F9B66CF1B0B03137A0AEE35D
SHA1:	5F3EBC3600757004BA82A2ACBE95E33B30568730
SHA-256:	D532001334956A6C0727DBEC52CA70D2BFAB5F7C3170F52F5B7976786118F662
SHA-512:	DFD8016D9814EB0B734AB5800E9553C869FD0F23AC24FC7159B5C5781791AC80A7F14032700D5AC3955F5C21BCFB6D7CCD445628399F7732BB899CCCEBA44E39
Malicious:	false
Preview:	b090d19f67e88aee33d5f7cb77be6ac9

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\QdLibV2

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.702819531114783
Encrypted:	false
SSDEEP:	3:WrN0mpRATEn:WR0mpmY
MD5:	02B66246F9B66CF1B0B03137A0AEE35D
SHA1:	5F3EBC3600757004BA82A2ACBE95E33B30568730
SHA-256:	D532001334956A6C0727DBEC52CA70D2BFAB5F7C3170F52F5B7976786118F662
SHA-512:	DFD8016D9814EB0B734AB5800E9553C869FD0F23AC24FC7159B5C5781791AC80A7F14032700D5AC3955F5C21BCFB6D7CCD445628399F7732BB899CCCEBA44E39
Malicious:	false
Preview:	b090d19f67e88aee33d5f7cb77be6ac9

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\Shell

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	0.9182958340544896
Encrypted:	false
SSDEEP:	3:yX:yX
MD5:	56BD7107802EBE56C6918992F0608EC6
SHA1:	EB35C321D6997C344882962B8AA1CD0939B123E1
SHA-256:	D9EB253E06987FA74A5D3189F73D9F7A8104CCA786FAFBB52BC9555972F5477F
SHA-512:	DB512F13C2FCED000DF9F7F09A8B54D9CA8EFCB2678BDDAC08326693725DCE9FB43094BDDCBC3539A7B857ED81A0263C540964F1E7AD273E21E0C4C9FE190983
Malicious:	false
Preview:	err

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\TOFNC

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	International EBCDIC text, with no line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.8073549220576046
Encrypted:	false
SSDEEP:	3:gn:g
MD5:	FBFD0EC034788C9DA99176A346DF7A18
SHA1:	7F94B926AA1228750C3D977E13E2BE01442EB83B
SHA-256:	FA781A00F4E8EDA79E53EBE61F2C02D3B32FD506022A2475CBB051048DDB306C
SHA-512:	1F2E22CEFB1637C4D8AF1F403405FC20D162B8575087EDEB339DEC9250612C1655896265194D70403FD3B39336A05890D38CF07D8E5475991A83FEE5C190547A
Malicious:	false
Preview:	^.\|{ovn

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\WinCall

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	49
Entropy (8bit):	4.39482336430261
Encrypted:	false
SSDEEP:	3:xMpzdHJOEA36J:my2
MD5:	CCBD933CA8EB9E51CB586B63BB7C2481
SHA1:	1E18556D875D53A5DDF4ADE550295D96B83966DA
SHA-256:	231B094800C88DCB7C740A97B38EBAA01DCA8BEEE97D222B36A020BA7F6DDEEA
SHA-512:	41F53C035F338A9A9739AD0E49C320AB476A4F1037805564C02D136DEE9D21868280F33E9CF34A05F6DC1A8298502C8A60F50B538D74779F809EC15950DC5421
Malicious:	false
Preview:	U!!]k..L]] ]QL!P'P#f.^"".R_.U^_VZ^_V.LYT$ _R".R^X

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\globalV1

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.4139097655573916
Encrypted:	false
SSDEEP:	3:LO0BJRHhqNn:i0nRHhqNn
MD5:	F01949AD5DFC76F8B7D5B35FDFC58F44
SHA1:	163716A4ACBD4A3D39D24C2010F897DD8E89F9C3
SHA-256:	72A1013C1F535E47C200986DAD3A655EF5A70DE6445325CE3E8FD518FCDAD56B
SHA-512:	E347ADEC91498915F0B775A966CB4916E389325D2AE0AE2492F1E3F0A77C23BAAA9DA8901A42A25EA3F4EDF786382E790F3BC11D2D6852D83C30F78E96615537
Malicious:	false
Preview:	2fbf7b271ad6b7aab9e96822149af897

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\globalV2

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.4139097655573916
Encrypted:	false
SSDEEP:	3:LO0BJRHhqNn:i0nRHhqNn
MD5:	F01949AD5DFC76F8B7D5B35FDFC58F44
SHA1:	163716A4ACBD4A3D39D24C2010F897DD8E89F9C3
SHA-256:	72A1013C1F535E47C200986DAD3A655EF5A70DE6445325CE3E8FD518FCDAD56B
SHA-512:	E347ADEC91498915F0B775A966CB4916E389325D2AE0AE2492F1E3F0A77C23BAAA9DA8901A42A25EA3F4EDF786382E790F3BC11D2D6852D83C30F78E96615537
Malicious:	false
Preview:	2fbf7b271ad6b7aab9e96822149af897

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\qvlnkbroV1

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5192475629608073
Encrypted:	false
SSDEEP:	3:lDYXWjyXEHn:Z6Wbn
MD5:	3CE29BA1D17C2CE1A794D41B5D8F5CDB
SHA1:	1849640291EA6F9F9B172D5814520FBB88144440
SHA-256:	70F7CA29806F93AC9D54BFEBAAC6670A78F95B1C68CA4FE6D0D1AFCABFE083EF
SHA-512:	C0B306F097C593DF798916CC3293E689FA2D268DE329222CD1AA0D16B46497C2FF03F092E7F2C115559995868559AF361D18D6E554E4EE4231E68080EA0E9701
Malicious:	false
Preview:	73f846a1652238496e372aa78aab254b

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\qvlnkbroV2

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5192475629608073
Encrypted:	false
SSDEEP:	3:lDYXWjyXEHn:Z6Wbn
MD5:	3CE29BA1D17C2CE1A794D41B5D8F5CDB
SHA1:	1849640291EA6F9F9B172D5814520FBB88144440
SHA-256:	70F7CA29806F93AC9D54BFEBAAC6670A78F95B1C68CA4FE6D0D1AFCABFE083EF
SHA-512:	C0B306F097C593DF798916CC3293E689FA2D268DE329222CD1AA0D16B46497C2FF03F092E7F2C115559995868559AF361D18D6E554E4EE4231E68080EA0E9701
Malicious:	false
Preview:	73f846a1652238496e372aa78aab254b

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\settingV1

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5550365325772653
Encrypted:	false
SSDEEP:	3:hBhYUJ0dqI:XhBJ0dqI
MD5:	87D7B82129EDF89D7DA2DD7A586D19CD
SHA1:	76BED8BFAA0C2ED762AF1C599A233191A3FC2A29
SHA-256:	37E02378A2A6684ADAA251ADD78E1CD7ACCDC610FBE0E53FA69BAD505482B4B5
SHA-512:	69A8DB0C3A458F0150FC65820813CFC795D8310CCCA6E47F0CC9B298EF06102B12A4D69C50FCD7CEA52E9594C770105974BFAF9CB01B69FAFA5559F8A568FC2E
Malicious:	false
Preview:	ead3d4cba62cad943dca9fa88139d258

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\version\settingV2

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5550365325772653
Encrypted:	false
SSDEEP:	3:hBhYUJ0dqI:XhBJ0dqI
MD5:	87D7B82129EDF89D7DA2DD7A586D19CD
SHA1:	76BED8BFAA0C2ED762AF1C599A233191A3FC2A29
SHA-256:	37E02378A2A6684ADAA251ADD78E1CD7ACCDC610FBE0E53FA69BAD505482B4B5
SHA-512:	69A8DB0C3A458F0150FC65820813CFC795D8310CCCA6E47F0CC9B298EF06102B12A4D69C50FCD7CEA52E9594C770105974BFAF9CB01B69FAFA5559F8A568FC2E
Malicious:	false
Preview:	ead3d4cba62cad943dca9fa88139d258

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\vmauthd.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31392
Entropy (8bit):	7.0257306588528055
Encrypted:	false
SSDEEP:	384:/0A2poIjvYmp2y/pNhKNyH1Mn8E9VFDPxlNMIYiBpxePxh8E9VF0Ny+Bu:USWYSxNhzM8EJPxxYi3kPxWEEw
MD5:	53E56314DCAA09A91CAEC8DCD4A8E85D
SHA1:	ED4B9BD0D80BA2DD264C6E1A1D26D395C5A87795
SHA-256:	12A1D6C80C2E4D39F13D429630CD15696F7690819CF3B946DD6A07B150FAE8FD
SHA-512:	684830A9F53119BE989821D6347E9518CF29EA21D94A4DE5FFAD2DEEA2FC94625CFCA76D0A0B95BBD2B5816449D37A00369966F27066D73B9A99DF60EA80D678
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ok.+...+...+....z..)...y...)..."r&.(...+...5...y...!...y...!...y.............J..........Rich+...................PE..L...X.tc...........!................P........ ...............................`......"w....@A................................D%..P....@...............(...R...P..<.... ..T............................!..@............ ..d............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..<....P.......&..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\zip.exe

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	301504
Entropy (8bit):	6.49043668203017
Encrypted:	false
SSDEEP:	6144:remIWncUsq/i4vo6cRwtf/STC47MSzISIJTc6TDVO:ajccjai4vo6cRb+4QScSI7E
MD5:	4410900FB42EE1291627427BB9C7F3FB
SHA1:	F25009F1DA682D56548B8621BADCDD99DC1C4414
SHA-256:	19726ED6B075FB56BF5C5260766411AA7BB1C39F43476A9712C90306E2CBEF9B
SHA-512:	F315D6BD50AB20D6420BB9B0123EDF069A6442049F16A72615232AABCC371576EFCCF000074AAACC3FBB370B04B09F63735F80201918E35D5CF7B24C438214E1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........::..[TM.[TM.[TM.GXM.[TM.}_M.[TM.GZM.[TM.DGM.[TM.[UM.[TM.}^MJ[TM_]RM.[TMRich.[TM................PE..L.....xH................. ...@.......u.......0....@..........................p..............................................XH..P....`.. ............p...)...........................................................0...............................text............ .................. ..`.rdata..."...0...0...0..............@..@.data........`.......`..............@....rsrc... ....`.......`..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\zlib1.dll

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91584
Entropy (8bit):	6.918973229700604
Encrypted:	false
SSDEEP:	1536:Yue8cAbT3KO9ZTRgyI/0DseAAPMD6eJPOvuk1Vx8sDmIOQIOm5AbwPvB7XYxc:k8p6O9ZFtDskMD7Ouk1Vx1DEGmcwPvBJ
MD5:	7A85BCF3BA2CDB70FFD7C67E8FD079EF
SHA1:	50688A161D30C9095CFA8B7419E04FBE9D90B47C
SHA-256:	6AC5061543C831D0A554AC1A872FA5D7A045DC5FCDCCDE99B5898D695ADAF4AE
SHA-512:	8841341C7E59E37D60E04B570D768408E776B62F71FDFF369DD4904DB83FC4B0494215AC65E94682D60009556B9F55E038B9A9462ED6396865AF4B322F0390EA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X...6...6...6.......6.3.7...6...7...6...7...6.3.....6.3.3...6.3.2...6.3.5...6...2...6...6...6.......6...4...6.Rich..6.................PE..L......d...........!...$.....n...............................................p.......Y....@A.........................2.......9.......P...............<...)...`.......-..p............................,..@............................................text............................... ..`.rdata..x^.......`..................@..@.data........@.......0..............@....rsrc........P.......2..............@..@.reloc.......`.......6..............@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\3df3bd.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 936, Revision Number: {B27D822E-68C4-4CF6-961C-F62B0D119E2A}, Number of Words: 0, Subject: Windows, Author: ElLGDUGELFDK, Name of Creating Application: Windows, Template: ;2052, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 12 17:35:37 2024, Last Saved Time/Date: Thu Dec 12 17:35:37 2024, Last Printed: Thu Dec 12 17:35:37 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	4526080
Entropy (8bit):	6.5649194117879635
Encrypted:	false
SSDEEP:	49152:0omhaJBcvYnZ5iXuoRNeycFTznJ95U0zjjZVeZlPjgzixI+vGYRnAWNTWw5EQbhp:WABcveycl20iuW5CfTRWXpd
MD5:	7E49C843B9BE3C41508F60E1DF899C48
SHA1:	EDFD6BC81E67DBC9F2B513BC0404AB73FD0F7CBB
SHA-256:	EECAFC62E71A490B60B1C5A72F70794B15DB756AB879F2AA63307DFA6283367C
SHA-512:	CCADE37586A0F3C9E555ED9E68534271057363B8D4F0AA10003522972EAD59A875F39E5EEC257575EF94C0469E3DD7B377032F5BF409D4C9598A7D465A5D606A
Malicious:	false
Preview:	......................>...................F...........................................................................................{.......^.......0...1...2...3...4...5...6...7...8...9...:...;...........................................................................................................................................................v"..........................................................................................................................................................................z.......................4...7................................................................................... ...!..."...#...$...%...&...'...(...)...5...+...,...-......./...0...1...2...3.......=...6...8...K...9...:...;...<...@...>...?...G...A...B...C...D...E...F...I...H...J....!..\|...L...M...N...O...P...Q....!..S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI1A66.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1145696
Entropy (8bit):	6.517876267164052
Encrypted:	false
SSDEEP:	24576:+oY9D/tCubZoXth0lhSMXl+lZu51SDcf81Y8AnwjzfN:CBRloXEul05gDcf81Y8AnwjzfN
MD5:	BD9A5B67A4125207CB64929B2CCB7E00
SHA1:	0704C904E63000F7A63527C10D722E0D2D32520D
SHA-256:	8FDD323EB0E35B9FCA823435E8D760F5263FFFEFAA2A3E853FE6CD4925B2249C
SHA-512:	9D5A159A0095EE765F2C5220DF0EB4E0C574F4A0ABDC2D23F0169518B3C5242B486F86A597F61A096BB0FFA99F95D8E025A3B824D55543F69FDF7D98001BEF71
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e...............v.......v......................A....v.......v.......v..........!......I...........'.......O............Rich....................PE..L......e.........."!...'.^...................p............................................@A.........................................................>..`=...0...B.....p...........................0...@............p..4............................text....\.......^.................. ..`.rdata..z....p.......b..............@..@.data...d.... ......................@....rsrc...............................@..@.reloc...B...0...D..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1A96.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1145696
Entropy (8bit):	6.517876267164052
Encrypted:	false
SSDEEP:	24576:+oY9D/tCubZoXth0lhSMXl+lZu51SDcf81Y8AnwjzfN:CBRloXEul05gDcf81Y8AnwjzfN
MD5:	BD9A5B67A4125207CB64929B2CCB7E00
SHA1:	0704C904E63000F7A63527C10D722E0D2D32520D
SHA-256:	8FDD323EB0E35B9FCA823435E8D760F5263FFFEFAA2A3E853FE6CD4925B2249C
SHA-512:	9D5A159A0095EE765F2C5220DF0EB4E0C574F4A0ABDC2D23F0169518B3C5242B486F86A597F61A096BB0FFA99F95D8E025A3B824D55543F69FDF7D98001BEF71
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e...............v.......v......................A....v.......v.......v..........!......I...........'.......O............Rich....................PE..L......e.........."!...'.^...................p............................................@A.........................................................>..`=...0...B.....p...........................0...@............p..4............................text....\.......^.................. ..`.rdata..z....p.......b..............@..@.data...d.... ......................@....rsrc...............................@..@.reloc...B...0...D..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1B81.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	100241
Entropy (8bit):	6.332948874214734
Encrypted:	false
SSDEEP:	1536:TKAci12LEaWOxM9hYukoDe3RLKXUID/ERcpB31zxvSmSsW8JzY0cdyRe5fOXbhXh:TKjWO0ioC3DID/ZxvpY1yRe5ObhXh
MD5:	6C39052C7836347CDA5026735D3CC24A
SHA1:	27B1B10C4A8363AA914C9A9CE5ADC6034E1F59A8
SHA-256:	B5328918BCAAECA413F38AF5A2FE0BACB40DBB0F37F7D29994DA8592BDD1D63F
SHA-512:	006587B9F66A16EDA672DD90CAA19195A2E7A00E9CB2F9B7EBE4A6CCC984F7F0BF8026B83D70B3CAA597EE034391B1DE8D9029E4D2750ABC3F4B4169746139C0
Malicious:	false
Preview:	...@IXOS.@.....@I.(Z.@.....@.....@.....@.....@.....@......&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}..Windows..DAN_127.msi.@.....@.....@.....@........&.{B27D822E-68C4-4CF6-961C-F62B0D119E2A}.....@.....@.....@.....@.......@.....@.....@.......@......Windows......Rollback..ck(W.V.n.d\O:.....RollbackCleanup..ck(W Rd..Y.N.e.N...e.N:. .[.1.]....@.......@........ProcessComponents..ck(W.f.e.~.N.l.Qh....@>....@.....@.]....&.{0BDD925F-9555-4E0F-A320-9E414AC18B7C}d.02:\Software\Caphyon\Advanced Installer\LZMA\{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}\1.1.6\AI_ExePath.@.......@.....@.....@......&.{FEAD2C16-C7B0-493E-B979-1B01A169ADEA}M.02:\Software\ElLGDUGELFDK\{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}\AI_IA_ENABLE.@.......@.....@.....@......&.{EC42FCB1-8AAF-4702-9E48-B83254BD3FB0}+.C:\Program Files (x86)\IkCWSTWLLRQX\Gme.dll.@.......@.....@.....@......&.{BDAF5FA3-1BA6-42D1-894D-41DA643F7A2B}..C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi.dll.@.......@.....@.....@......&.{25BC8264-C934-445D-B75A-54A198CB23F0

C:\Windows\Installer\MSI3D33.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	83968
Entropy (8bit):	6.283009388320045
Encrypted:	false
SSDEEP:	1536:Qi12LEaWOxM9hYukoDe3RLKXUID/ERcpB31zxvSmSsW8JzY0cdyRe5fOXbhX:WWO0ioC3DID/ZxvpY1yRe5ObhX
MD5:	0CD6E3C177AE2D5491D06F05748147D1
SHA1:	18934C204E18D3DB17EC07A8B67A79DE38A24D6B
SHA-256:	C6168948683071FF85C9504F988B72B1F341A7BF4A77E1591F827AEF1514B805
SHA-512:	B66663DB171976DBAE987A994B887F687CC807402A95D55802EDE2BB23907B360C9548B40F4D6D59C05B32CC7E8E77081F5B1703B27E2CD0664DA15C490DD5E4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........w...$...$...$...%...$...%x..$...%...$...%...$...%...$...%...$...%...$...$...$;..%...$;..%...$;..%...$Rich...$................PE..L.....Zg...........!................,.....................................................@..........................;..P....<..<............................p..@...`/..8....................0......./..@...............8............................text............................... ..`.rdata...c.......d..................@..@.data...`....P......................@....reloc..@....p.......8..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIB1E.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616049802032926
Encrypted:	false
SSDEEP:	12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
MD5:	D4423CDEA4650917773B680EB52F9A32
SHA1:	B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
SHA-256:	12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
SHA-512:	B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIB8C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616049802032926
Encrypted:	false
SSDEEP:	12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
MD5:	D4423CDEA4650917773B680EB52F9A32
SHA1:	B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
SHA-256:	12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
SHA-512:	B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIBCC.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616049802032926
Encrypted:	false
SSDEEP:	12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
MD5:	D4423CDEA4650917773B680EB52F9A32
SHA1:	B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
SHA-256:	12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
SHA-512:	B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIC0B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1145696
Entropy (8bit):	6.517876267164052
Encrypted:	false
SSDEEP:	24576:+oY9D/tCubZoXth0lhSMXl+lZu51SDcf81Y8AnwjzfN:CBRloXEul05gDcf81Y8AnwjzfN
MD5:	BD9A5B67A4125207CB64929B2CCB7E00
SHA1:	0704C904E63000F7A63527C10D722E0D2D32520D
SHA-256:	8FDD323EB0E35B9FCA823435E8D760F5263FFFEFAA2A3E853FE6CD4925B2249C
SHA-512:	9D5A159A0095EE765F2C5220DF0EB4E0C574F4A0ABDC2D23F0169518B3C5242B486F86A597F61A096BB0FFA99F95D8E025A3B824D55543F69FDF7D98001BEF71
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e...............v.......v......................A....v.......v.......v..........!......I...........'.......O............Rich....................PE..L......e.........."!...'.^...................p............................................@A.........................................................>..`=...0...B.....p...........................0...@............p..4............................text....\.......^.................. ..`.rdata..z....p.......b..............@..@.data...d.... ......................@....rsrc...............................@..@.reloc...B...0...D..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIC5A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616049802032926
Encrypted:	false
SSDEEP:	12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
MD5:	D4423CDEA4650917773B680EB52F9A32
SHA1:	B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
SHA-256:	12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
SHA-512:	B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIC7A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	891744
Entropy (8bit):	6.591441088104074
Encrypted:	false
SSDEEP:	24576:p7flQGfU0TlCtFLB7YvYqh0lhSMXlfR5E3VXuoRM:phaJBcvYnZ5iXuoRM
MD5:	7D612A5B0C0CFECA3BE4B5D371CBC499
SHA1:	6D03AA02DCCB8DF9233903C8A56E54701E465F81
SHA-256:	E48ACC344635DE65863E9A02DD83EC76AF6CFD8E7433CAB9E0AC958B65C1A88E
SHA-512:	A68CA046B0BD4CBE880D89F106491C39873ED516CA2D7FF2CDE6B28B44E2F773C1C38C66EF73CB124EE205954DA315D9C4A264D3D6F4D0D2B4A5B6A4C26764DB
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......xi/x<.A+<.A+<.A+.zB7.A+.zD..A+..E..A+..B$.A+.zE%.A+..D].A+.zG=.A+.z@+.A+<.@+Z.A+.Hw.A+.A=.A+..+=.A+<..+=.A+.C*=.A+Rich<.A+........................PE..L......e.........."!...'.............7...............................................^....@A........................ ................ ..h............^..`=...0..........p...................@.......@...@.......................@....................text............................... ..`.rdata..N...........................@..@.data...('..........................@....didat..H...........................@....rsrc...h.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	2.693247035641696
Encrypted:	false
SSDEEP:	96:h7j8N5t4Igt8npXY/dAc7zOiIQ4ew2ATOzcA9T9lnn9:h7j8PgtOXydAWCQsi4A9Tn9
MD5:	0C66169365C6E716ED80CE4DB8FFA7F9
SHA1:	2DE5794F80CDDF32194724406126EB9BB9CDBB60
SHA-256:	A51DBEEA19584DDBF58EC810161CE9972E3EEAA07C522B7F9BD4364F9B07CA99
SHA-512:	A1FEFFF9D9FE28D17167E4BEE3F308113438B1E801913DA8948AD927B2756FBAAF9A506701A6D707EBD6F3380D598CF1525D5B2D0D0E5E29B5A687C2DDD897B8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.3687861662780003
Encrypted:	false
SSDEEP:	48:a8PhHuRc06WXJkjT56dHh62h5dAPSkdAVT2iu:lhH1njTch6M0PS9u
MD5:	5C75C862D211F4A4E68D594BC1E06D87
SHA1:	A873800EA87E88D0942B3280CBED2648D3E54839
SHA-256:	23B3A6A66A91B54B2A465D5FAA2CF100D2BD388C0E39567D84FFD06158C5EE95
SHA-512:	891954971CEE88FF1E0CF5BC5E902006C833402C966FB44F4B45ABC0C12DB33392E980C39C12ECFE0625F2B1408B03F4B1C2431C7543BE0397C061CBA0E944E2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375168550692953
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauD:zTtbmkExhMJCIpEra
MD5:	B375AD4CFD9191050C68AE713596688F
SHA1:	64D9F18FB1E5BDACB2010436A3021728616A0A17
SHA-256:	A7459849E4156082978156818CDDD1673A48C46C28DA5B92D796CDD7E42BC865
SHA-512:	694D8FBB589168F2FA9492557E7E89058A0262AE0C55C7A0DA6DC877D876DBFEE03C121E76DFD9D84A341115AFA42E8750C3EE645B261F62420E6FEA917D3EC9
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\SysWOW64\libjyy.dll

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.306110093863139
Encrypted:	false
SSDEEP:	192:6iYHzHaybK7GfupSSFGGmUxrpeeNodkYYDOicjOcB4FLkkV4nizjuMx:7W+7GfNSFGGpxidTPj/B4ykV4n0V
MD5:	FB125A7095456E73B66C6254019E6834
SHA1:	A59C178ABFA287C03C00373C84F95FE81E2AE516
SHA-256:	364A5FDDFBC66BD6CDF6BE273124795124A1C91CA8749B40ADA93130106E7315
SHA-512:	9B6F6FA3C53EA6EBF9F25B7BB44678B991FB844A842B9F04233F62E170A4882AFBCE1F6D793DC3FA87D2EBEDBCD55246C28CC3324BCF71500151BF1DB8E5AD78
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z............c_.....n.....n.....n.....n.....c..........-n....-n....-n....Rich...................PE..L.....Tg...........!.................$.......0...............................p............@..........................:..T...D;...............................`......$6..8...................@7......`6..@............0...............................text............................... ..`.rdata..(....0......."..............@..@.data........P.......6..............@....reloc.......`.......8..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1E593F6C78664ECC.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.2983764493701626
Encrypted:	false
SSDEEP:	48:z0fu/I+CFXJ/T5ydHh62h5dAPSkdAVT2iuNdAgujuWSkdARUuxPZuXxPSGofxmx4:YfFnTUh6M0PS9uAhSRB9GoaeGa
MD5:	0293E6DA49ECDAA7EB0F3A7627174EF4
SHA1:	4D4B19EF635A1E79449A7893823FE4FF2B300E50
SHA-256:	39F2CF456B6606D25DA120E4D84B873A3EF2F3DD13CD985FD26EA7A4815850BF
SHA-512:	BEB3918D51E0BF623D4B837FB26A7216B951DD90CB9107BE16E5788F5308A63B2B89132CE634BBAE915AE3ABB8A1CBB50E11A39934474C9FE91E8CCCD05BF6AD
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3F0241F0C8017BF9.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5C97ABC3EF7E106B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.3687861662780003
Encrypted:	false
SSDEEP:	48:a8PhHuRc06WXJkjT56dHh62h5dAPSkdAVT2iu:lhH1njTch6M0PS9u
MD5:	5C75C862D211F4A4E68D594BC1E06D87
SHA1:	A873800EA87E88D0942B3280CBED2648D3E54839
SHA-256:	23B3A6A66A91B54B2A465D5FAA2CF100D2BD388C0E39567D84FFD06158C5EE95
SHA-512:	891954971CEE88FF1E0CF5BC5E902006C833402C966FB44F4B45ABC0C12DB33392E980C39C12ECFE0625F2B1408B03F4B1C2431C7543BE0397C061CBA0E944E2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5FAA111600AB8153.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.2983764493701626
Encrypted:	false
SSDEEP:	48:z0fu/I+CFXJ/T5ydHh62h5dAPSkdAVT2iuNdAgujuWSkdARUuxPZuXxPSGofxmx4:YfFnTUh6M0PS9uAhSRB9GoaeGa
MD5:	0293E6DA49ECDAA7EB0F3A7627174EF4
SHA1:	4D4B19EF635A1E79449A7893823FE4FF2B300E50
SHA-256:	39F2CF456B6606D25DA120E4D84B873A3EF2F3DD13CD985FD26EA7A4815850BF
SHA-512:	BEB3918D51E0BF623D4B837FB26A7216B951DD90CB9107BE16E5788F5308A63B2B89132CE634BBAE915AE3ABB8A1CBB50E11A39934474C9FE91E8CCCD05BF6AD
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF702667921D20EADD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8D0285FBF2AF04CB.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF91015F94AFA8EBF0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF92BCC5A6414BCA0F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF947630386539E8EA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.3687861662780003
Encrypted:	false
SSDEEP:	48:a8PhHuRc06WXJkjT56dHh62h5dAPSkdAVT2iu:lhH1njTch6M0PS9u
MD5:	5C75C862D211F4A4E68D594BC1E06D87
SHA1:	A873800EA87E88D0942B3280CBED2648D3E54839
SHA-256:	23B3A6A66A91B54B2A465D5FAA2CF100D2BD388C0E39567D84FFD06158C5EE95
SHA-512:	891954971CEE88FF1E0CF5BC5E902006C833402C966FB44F4B45ABC0C12DB33392E980C39C12ECFE0625F2B1408B03F4B1C2431C7543BE0397C061CBA0E944E2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCEBD2D37BF04880E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.2983764493701626
Encrypted:	false
SSDEEP:	48:z0fu/I+CFXJ/T5ydHh62h5dAPSkdAVT2iuNdAgujuWSkdARUuxPZuXxPSGofxmx4:YfFnTUh6M0PS9uAhSRB9GoaeGa
MD5:	0293E6DA49ECDAA7EB0F3A7627174EF4
SHA1:	4D4B19EF635A1E79449A7893823FE4FF2B300E50
SHA-256:	39F2CF456B6606D25DA120E4D84B873A3EF2F3DD13CD985FD26EA7A4815850BF
SHA-512:	BEB3918D51E0BF623D4B837FB26A7216B951DD90CB9107BE16E5788F5308A63B2B89132CE634BBAE915AE3ABB8A1CBB50E11A39934474C9FE91E8CCCD05BF6AD
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE4362B7D0A800227.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.412949524892402
Encrypted:	false
SSDEEP:	96:D9lnn9sant4Igt8npXY/dAc7zOiIQ4ew2ATOzcA:Dn9sanPgtOXydAWCQsi4A
MD5:	66DE3146F86B883D5CD814486EC75D9B
SHA1:	025E0710E1832778748722A44D47E110CB9A051B
SHA-256:	7EBF52A083171A4B78989DD4A03EEB0F020B4AC0D37EFE6E01FFF089E27304AE
SHA-512:	78FF35D72482CF51C196EEA942CD40B3F9013E4EF237D8C5EB5537BFFC92231DC70416B1FE6FE2A5FE41F98627107FA39D4E12AB238C17EE53E11EACE1DAC1CD
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE5C87C3556A36F6B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	0.3594667993127404
Encrypted:	false
SSDEEP:	48:oiuCT4dAPSkdAYdAgujuWSkdARUuxPZuXxPSGofxmxYD8xYzIoxPJx1xL7x2xqx/:husPS1hSRB9GoaeGaGMlh
MD5:	53898C06DDDDD764B6E9D5142F635DA5
SHA1:	933A9E68AFCE1B939344CC55E7B84261BB5E777B
SHA-256:	7CE6AAB49A4C37FA661A0CE647967519AFE3571C29D4B524B3813BE615B26B07
SHA-512:	C3FF8EBCC9A657CFCEEFD6F626D279BCAC89FF8B8C2A7463BFCE9900F4A0B992D254806E27D885194786CACEC659F48C93A271E99CF7CB6EF49889761DCBE87B
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	531
Entropy (8bit):	5.182165919723824
Encrypted:	false
SSDEEP:	12:pporCVZcRwNjppyT5i9NRi9KswBsviJAIkzLGNVs:ppH4wNjpoT5uVNBsviJAIzPs
MD5:	33E561872AF6ADD2B13E8C7058BBC39A
SHA1:	307EDD76E9AF422D9B66D0202E651D3D5CBA8C03
SHA-256:	15637A01FC402B2FEFF8D77E64BCDC855DA18ECBB54B2AB00D061A004D0EEB0C
SHA-512:	529A4C7691137E12637FC666E0FD6BB096E8375B1A2F880A4A839C1AD40AB02AB3B1193E0F95AC6581BE754379C98D7886AEDBCB6077DAA3851FC9425F7DC3A5
Malicious:	false
Preview:	..7-Zip 22.01 (x86) : Copyright (c) 1999-2022 Igor Pavlov : 2022-07-15....Scanning the drive for archives:.. 0M Scan C:\Program Files (x86)\IkCWSTWLLRQX\. .1 file, 204 bytes (1 KiB)....Extracting archive: C:\Program Files (x86)\IkCWSTWLLRQX\FNCUNPTNLBMW.DNA..--..Path = C:\Program Files (x86)\IkCWSTWLLRQX\FNCUNPTNLBMW.DNA..Type = 7z..Physical Size = 204..Headers Size = 204..Solid = -..Blocks = 0.... 0%. .Everything is Ok....Folders: 2..Files: 1..Size: 0..Compressed: 204..

**\Device\Mup\user-PC*\MAILSLOT\NET\NETLOGON**

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	3.619358324205336
Encrypted:	false
SSDEEP:	3:9x5I2Y1AnDl/ElLn:9gGDlELn
MD5:	4C021AD18030658CCB6CA287CA6ABA83
SHA1:	C3CBB66AD64400B1C5C85FE81D2A361D78C2C904
SHA-256:	BF963F79579A0C5BDCE80A349FFE61D4749AB67140BF4986C74F02118E81B7E9
SHA-512:	BF5542EED27766BD74634718B7D3FA20F8DA50763C889DAD1F4D7953A8AD7D5A8761F51F9D16342DB1029C8A5CC9A6E1CFE528765FC1309D73E7BD8440523BA8
Malicious:	false
Preview:	....1.2.3.7.1.6.....\MAILSLOT\NET\GETDC9E787E4D.................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.938246108426095
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	e-SPT Masa PPh.exe
File size:	29'409'880 bytes
MD5:	097c653ddf86f75924a7192fb612b889
SHA1:	23fc34bf9649a820a98148697e99ae3c4919ed76
SHA256:	bbd7bf7a8d98d3cf5fb8c3f089ca61b57021fbed911465d5caf405d69a531439
SHA512:	ab4b2fd9b47191ca4080d1f691619746372dd178087dcc8a69c35b958f37804783cf93dc96e524c544993c34eefcf803396914200d562483cbcddaf41090baf3
SSDEEP:	786432:9sou6kPzeDtaWXUwkKS2jgcQBBEJFJ4UpnMIQq:9sou6kPzekW/82MIJd5Z
TLSH:	1C572230765EC52ED56215F0592CABAB911C6E2A0BA1E4C7B3DC7D6F27700CB0636E1B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........^............$...L...$.......5w......5w......5w......$.......$.......$.......$................t..s....t........}......t.....

File Icon


Icon Hash:	0000000000000000

Static PE Info

General

Entrypoint:	0x60d060
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x65DC9518 [Mon Feb 26 13:41:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	36aca8edddb161c588fcf5afdc1ad9fa

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=gsearch.media, O=solidfiles.com, C=BE
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	12/12/2024 17:35:18 10/12/2033 17:35:18
Subject Chain	CN=gsearch.media, O=solidfiles.com, C=BE
Version:	1
Thumbprint MD5:	1C2029D784E5D1AEF962BEDC9F5BB87F
Thumbprint SHA-1:	687D3A8C05DEA32A25D223E8E45A381F7EED5B64
Thumbprint SHA-256:	BF16BBF13133506180C4F319ACAE67AC9965924CAEC757BE872F04CBFE6CF6F7
Serial:	01

Entrypoint Preview

Instruction
call 00007FA530C0E30Bh
jmp 00007FA530C0DB4Dh
push ebp
mov ebp, esp
and dword ptr [00750BACh], 00000000h
sub esp, 24h
or dword ptr [0074D020h], 01h
push 0000000Ah
call dword ptr [00699268h]
test eax, eax
je 00007FA530C0DE82h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
nop
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-20h]
mov dword ptr [ebp-0Ch], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [ebp-1Ch]
xor eax, 6C65746Eh
mov dword ptr [ebp-08h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
nop
lea ebx, dword ptr [ebp-24h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-04h]
or eax, dword ptr [ebp-08h]
or eax, edi
mov dword ptr [ebx+04h], esi
mov dword ptr [ebx+08h], ecx
mov dword ptr [ebx+0Ch], edx
jne 00007FA530C0DD15h
mov eax, dword ptr [ebp-24h]
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007FA530C0DCF5h
cmp eax, 00020660h
je 00007FA530C0DCEEh
cmp eax, 00020670h
je 00007FA530C0DCE7h
cmp eax, 00030650h
je 00007FA530C0DCE0h
cmp eax, 00030660h
je 00007FA530C0DCD9h
cmp eax, 00030670h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x34b628	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x35b000	0x2bc6c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1c08410	0x3e48
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x387000	0x2d8dc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2ed470	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2ed500	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2beb60	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x299000	0x320	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x348abc	0x240	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x297ffa	0x298000	29574c003e7650370b1e798db166baa5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x299000	0xb3882	0xb3a00	f523101c03398dae1aa0e7a390821e4a	False	0.32717765962073764	data	5.062684731919462	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x34d000	0xcb80	0x3400	89858263f7a9bdeb103a05738065c24d	False	0.2342247596153846	data	4.4608179073550644	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x35a000	0x70c	0x800	4e727b159dc2a9374ea3e8e577a705cb	False	0.41064453125	data	4.529809413662669	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x35b000	0x2bc6c	0x2be00	ef42afc6e27ad4ad3de111b8732b8a71	False	0.11824474715099716	data	5.165051371980061	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x387000	0x2d8dc	0x2da00	7ced727d545c53e09b9ec0c023e2f6c6	False	0.47758989726027395	data	6.5647595604033	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x35b910	0x13e	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colors	English	United States	0.25471698113207547
RT_BITMAP	0x35ba50	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.03017241379310345
RT_BITMAP	0x35c278	0x48a8	Device independent bitmap graphic, 290 x 16 x 32, image size 0	English	United States	0.11881720430107527
RT_BITMAP	0x360b20	0xa6a	Device independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/m	English	United States	0.21680420105026257
RT_BITMAP	0x36158c	0x152	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colors	English	United States	0.5295857988165681
RT_BITMAP	0x3616e0	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.4875478927203065
RT_ICON	0x361f08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4264	Chinese	China	0.027204502814258912
RT_ICON	0x362fb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.08703319502074688
RT_ICON	0x365558	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.16463414634146342
RT_ICON	0x366600	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Chinese	China	0.18565573770491803
RT_ICON	0x366f88	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.3262411347517731
RT_DIALOG	0x3673f0	0x98	data	Chinese	China	0.75
RT_DIALOG	0x367488	0xc4	data	Chinese	China	0.6938775510204082
RT_DIALOG	0x36754c	0x16c	data	Chinese	China	0.5714285714285714
RT_DIALOG	0x3676b8	0x104	data	Chinese	China	0.6307692307692307
RT_DIALOG	0x3677bc	0x4c	data	English	United States	0.8289473684210527
RT_STRING	0x367808	0xf0	data	Chinese	China	0.85
RT_STRING	0x3678f8	0x124	data	Chinese	China	0.6541095890410958
RT_STRING	0x367a1c	0x3e	data	Chinese	China	0.7580645161290323
RT_STRING	0x367a5c	0x78	data	Chinese	China	0.44166666666666665
RT_STRING	0x367ad4	0x194	data	Chinese	China	0.7425742574257426
RT_STRING	0x367c68	0x3ee	data	Chinese	China	0.510934393638171
RT_STRING	0x368058	0x3ae	data	Chinese	China	0.38110403397027603
RT_STRING	0x368408	0x78	data	Chinese	China	0.85
RT_STRING	0x368480	0x1ce	data	Chinese	China	0.7748917748917749
RT_STRING	0x368650	0x11e	data	Chinese	China	0.6048951048951049
RT_STRING	0x368770	0x18a	data	English	United States	0.5228426395939086
RT_STRING	0x3688fc	0x216	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.46254681647940077
RT_STRING	0x368b14	0x624	data	English	United States	0.3575063613231552
RT_STRING	0x369138	0x660	data	English	United States	0.3474264705882353
RT_STRING	0x369798	0x396	data	English	United States	0.3867102396514161
RT_GROUP_ICON	0x369b30	0x14	data	Chinese	China	1.1
RT_VERSION	0x369b44	0x118	PDP-11 overlaid pure executable not stripped	Chinese	China	0.6142857142857143
RT_HTML	0x369c5c	0x3835	ASCII text, with very long lines (443), with CRLF line terminators	English	United States	0.08298005420807561
RT_HTML	0x36d494	0x1316	ASCII text, with CRLF line terminators	English	United States	0.18399508800654932
RT_HTML	0x36e7ac	0x8c77	HTML document, ASCII text, with CRLF line terminators	English	United States	0.08081426068578103
RT_HTML	0x377424	0x6acd	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10679931238798873
RT_HTML	0x37def4	0x6a2	HTML document, ASCII text, with CRLF line terminators	English	United States	0.3486454652532391
RT_HTML	0x37e598	0x104a	HTML document, ASCII text, with CRLF line terminators	English	United States	0.2170263788968825
RT_HTML	0x37f5e4	0x15b1	HTML document, ASCII text, with CRLF line terminators	English	United States	0.17612101566720692
RT_HTML	0x380b98	0x205c	exported SGML document, ASCII text, with very long lines (659), with CRLF line terminators	English	United States	0.13604538870111058
RT_HTML	0x382bf4	0x368d	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10834228428213391
RT_HTML	0x386284	0x1d7	ASCII text, with CRLF line terminators	English	United States	0.6008492569002123
RT_MANIFEST	0x38645c	0x80f	XML 1.0 document, ASCII text, with CRLF, LF line terminators	Chinese	China	0.40814348036839554

Imports

DLL

Import

KERNEL32.dll

WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateEventExW, WaitForSingleObject, CreateProcessW, GetLastError, GetExitCodeProcess, SetEvent, RemoveDirectoryW, GetProcAddress, GetModuleHandleW, GetWindowsDirectoryW, CreateDirectoryW, GetTempPathW, GetTempFileNameW, MoveFileW, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, InitializeCriticalSection, lstrcpynW, CreateThread, LoadLibraryExW, GetCurrentProcess, Sleep, WideCharToMultiByte, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, GetFinalPathNameByHandleW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SetFileTime, SystemTimeToFileTime, MultiByteToWideChar, GetSystemInfo, WaitForMultipleObjects, GetVersionExW, CreateSemaphoreW, ReleaseSemaphore, GlobalMemoryStatus, GetModuleHandleA, GetProcessAffinityMask, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, LocalFree, LocalAlloc, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetSystemTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, FormatMessageW, GetEnvironmentStringsW, InitializeCriticalSectionEx, CloseHandle, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetSystemDefaultLangID, GetUserDefaultLangID, GetLocalTime, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, CreateNamedPipeW, ConnectNamedPipe, TerminateThread, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, WaitForSingleObjectEx, QueryPerformanceCounter, QueryPerformanceFrequency, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, GetSystemTimeAsFileTime, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetFileType, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW, LoadLibraryA, CreateFileW

imagehlp.dll

SymGetModuleBase, SymFunctionTableAccess, SymGetLineFromAddr, SymSetSearchPath, SymCleanup, SymInitialize, SymSetOptions, StackWalk

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T08:58:44.684902+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	52312	154.82.113.139	63701	TCP
2025-01-08T08:59:44.763721+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	52312	154.82.113.139	63701	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 08:58:41.512989044 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:41.517810106 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:41.518248081 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:44.139292002 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:44.144259930 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.144277096 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.144284964 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.144294024 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.144304037 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.144351959 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:44.144372940 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.144387960 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.144388914 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:44.144417048 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.144427061 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.144457102 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.144459963 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:44.144478083 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:44.144545078 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:44.149276018 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.149286985 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.149331093 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.149339914 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.149341106 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:44.149435043 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:44.153940916 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.153950930 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.153959990 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.153969049 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.153976917 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.153980017 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.154195070 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.154325962 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.154395103 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.158909082 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.684901953 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:44.690274954 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.850471973 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:44.903371096 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:45.056288004 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:45.057512045 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:45.062325954 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:45.142894983 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:45.184607029 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:46.318830967 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:46.323719978 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:46.323853016 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:46.323862076 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:46.323869944 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:46.323880911 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:46.323901892 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:46.323910952 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:46.323970079 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:46.323978901 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:46.324115992 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:46.328496933 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:46.328506947 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:46.328517914 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:46.328538895 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:47.732091904 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:47.736965895 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:48.030051947 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:48.077148914 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:49.200107098 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:49.200225115 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:49.205046892 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:49.205060005 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:49.205075979 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:49.205090046 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:49.205100060 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:49.205190897 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:49.205199957 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:49.205234051 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:49.205243111 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:49.205393076 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:49.209789038 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:49.209798098 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:49.209808111 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:49.209811926 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:49.209820986 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:50.778438091 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:50.783288002 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:51.076407909 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:51.122112036 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:51.788738012 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:51.793639898 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:51.793653011 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:51.793672085 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:51.793684006 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:51.793693066 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:51.793761015 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:51.793807983 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:51.793817043 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:51.793827057 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:51.793982983 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:51.798294067 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:51.798337936 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:51.798346043 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:51.798391104 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:53.825489044 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:53.830395937 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:54.123413086 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:54.168998003 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:55.515307903 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:55.520184040 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:55.520217896 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:55.520227909 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:55.520243883 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:55.520252943 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:55.520361900 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:55.520370960 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:55.520399094 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:55.520462990 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:55.520472050 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:55.520479918 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:55.524882078 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:55.524890900 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:55.524899960 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:56.919234991 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:56.924009085 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:57.217216969 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:57.262742043 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:58.718183041 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:58.723665953 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:58.723678112 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:58.723695993 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:58.723705053 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:58.723759890 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:58.723768950 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:58.723776102 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:58.724376917 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:58.724389076 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:58.724399090 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:58.724406958 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:58.724415064 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:58.728904009 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:58.728913069 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:58:59.981595993 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:58:59.986466885 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:00.279520988 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:00.325248003 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:01.155980110 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:01.160926104 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:01.160939932 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:01.160965919 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:01.160975933 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:01.161066055 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:01.161075115 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:01.161082983 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:01.161092997 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:01.161113024 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:01.161120892 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:01.165652037 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:01.165659904 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:01.165676117 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:01.165683985 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:03.028789043 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:03.033634901 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:03.326879025 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:03.372136116 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:04.094489098 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:04.099308014 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:04.099324942 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:04.099394083 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:04.099402905 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:04.099481106 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:04.099505901 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:04.099674940 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:04.099689960 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:04.099744081 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:04.099848032 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:04.104015112 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:04.104089022 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:04.104098082 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:04.104106903 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:06.075979948 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:06.080799103 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:06.374232054 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:06.419008017 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:07.208348036 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:07.213268042 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:07.213279963 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:07.213298082 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:07.213305950 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:07.213325977 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:07.213335991 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:07.213346958 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:07.213952065 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:07.213960886 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:07.213978052 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:07.213988066 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:07.214003086 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:07.214011908 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:07.214021921 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:09.122246027 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:09.127051115 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:09.420368910 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:09.469949961 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:10.136554956 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:10.141387939 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:10.141428947 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:10.141438961 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:10.141458988 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:10.141469002 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:10.141531944 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:10.141540051 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:10.141644955 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:10.141664028 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:10.141671896 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:10.141715050 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:10.141722918 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:10.141772985 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:10.141782045 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:12.169181108 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:12.174002886 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:12.467523098 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:12.512769938 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:12.863734961 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:12.868689060 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:12.868700027 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:12.868716955 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:12.868729115 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:12.868803024 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:12.868812084 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:12.868855953 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:12.868864059 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:12.868911028 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:12.868918896 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:12.868968010 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:12.868976116 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:12.868987083 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:12.868994951 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:15.170650959 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:15.175508022 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:15.468908072 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:15.512785912 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:16.486057997 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:16.490927935 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:16.490937948 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:16.490967035 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:16.490976095 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:16.491018057 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:16.491028070 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:16.491036892 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:16.491071939 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:16.491146088 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:16.491153955 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:16.491189003 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:16.491198063 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:16.491245031 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:16.491254091 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:17.989917040 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:17.994791985 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:18.288575888 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:18.340909958 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:19.263375044 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:19.269053936 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:19.269067049 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:19.269167900 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:19.269176006 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:19.269188881 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:19.269196987 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:19.269295931 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:19.269304991 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:19.269311905 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:19.269320965 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:19.269440889 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:19.269449949 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:19.269463062 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:19.269470930 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:20.591068983 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:20.595890045 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:20.889147043 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:20.934660912 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:21.914068937 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:21.918989897 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:21.919001102 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:21.919020891 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:21.919028044 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:21.919032097 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:21.919068098 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:21.919173002 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:21.919181108 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:21.919188976 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:21.919203997 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:21.923758984 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:21.923768044 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:21.923923969 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:21.923932076 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:22.950448990 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:22.955395937 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:23.248502970 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:23.309648037 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:23.720484972 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:23.725420952 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:23.725431919 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:23.725442886 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:23.725485086 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:23.725532055 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:23.725541115 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:23.725573063 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:23.725580931 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:23.725656986 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:23.725666046 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:23.725701094 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:23.725712061 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:23.730113029 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:23.730123043 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:24.981822014 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:24.986628056 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:25.280081034 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:25.325308084 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:25.690381050 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:25.695295095 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:25.695306063 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:25.695359945 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:25.695369005 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:25.695427895 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:25.695436954 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:25.695497036 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:25.695506096 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:25.695542097 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:25.695549965 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:25.695585966 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:25.695684910 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:25.695693970 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:25.695722103 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:26.809938908 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:26.814750910 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:27.107940912 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:27.153417110 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:27.524049044 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:27.528939962 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:27.528986931 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:27.529145002 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:27.529162884 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:27.529218912 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:27.529227972 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:27.529288054 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:27.529297113 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:27.529334068 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:27.529342890 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:27.533782005 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:27.533792019 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:27.533798933 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:27.533807993 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:28.497350931 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:28.502283096 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:28.795351982 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:28.840920925 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:29.194861889 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:29.216000080 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:29.528424025 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:29.931977987 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.932044983 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:29.932220936 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.932281971 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:29.932307959 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.932354927 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:29.932389975 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.932440042 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:29.932471991 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.932482004 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.932490110 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.932499886 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.932516098 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.932524920 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:29.932549000 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:29.932560921 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.932657003 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.932667017 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.932763100 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.932771921 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.932780027 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.932789087 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.940289974 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.940375090 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.940393925 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.940412045 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.940419912 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.940428972 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.940437078 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.940448999 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.940457106 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.940496922 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.940505981 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.940561056 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.940570116 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:29.997598886 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:30.002788067 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:30.432723045 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:30.481581926 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:30.851501942 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:30.856411934 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:30.856426001 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:30.856443882 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:30.856453896 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:30.856472015 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:30.856481075 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:30.856532097 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:30.856542110 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:30.856579065 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:30.856587887 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:30.856616020 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:30.856625080 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:30.856667042 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:30.856682062 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:31.372864008 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:31.377809048 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:31.671760082 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:31.715915918 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:32.046192884 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:32.051172972 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:32.051187038 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:32.051232100 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:32.051242113 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:32.051325083 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:32.051333904 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:32.051428080 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:32.051486969 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:32.051526070 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:32.051569939 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:32.055915117 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:32.055922985 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:32.055927038 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:32.055933952 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:32.591025114 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:32.595844984 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:32.890675068 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:32.934662104 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:33.284171104 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:33.289130926 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:33.289144039 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:33.289169073 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:33.289179087 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:33.289196968 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:33.289205074 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:33.289217949 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:33.289227009 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:33.289242983 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:33.289251089 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:33.289350986 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:33.289365053 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:33.289372921 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:33.289390087 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:33.700414896 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:33.705166101 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:33.998372078 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:34.044044018 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:34.390177965 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:34.395051956 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:34.395065069 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:34.395077944 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:34.395138979 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:34.395147085 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:34.395155907 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:34.395162106 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:34.395183086 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:34.395370960 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:34.395380020 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:34.395389080 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:34.395503044 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:34.395510912 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:34.395522118 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:34.715997934 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:34.720738888 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.014074087 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.059669018 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:35.403215885 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:35.403426886 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:35.408119917 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.408132076 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.408165932 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.408174992 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.408222914 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.408231974 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.408272982 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.408292055 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.408312082 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.408319950 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.408359051 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.408368111 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.408421040 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.408430099 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.412775040 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.622411013 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:35.627244949 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.922425985 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:35.965943098 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:36.381155968 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:36.386059999 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:36.386101961 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:36.386111021 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:36.386145115 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:36.386256933 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:36.386265993 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:36.386351109 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:36.386358976 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:36.386389971 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:36.386398077 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:36.386445999 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:36.386454105 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:36.386496067 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:36.386503935 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:36.450747013 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:36.455661058 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:36.888228893 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:36.934674978 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:37.202373981 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:37.207171917 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.361207008 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:37.366178036 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.366189957 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.366195917 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.366283894 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.366342068 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.366349936 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.366461992 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.366472006 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.366475105 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.366477966 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.366571903 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.366581917 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.366590977 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.366600037 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.500516891 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.544054031 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:37.872327089 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:37.877087116 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.908260107 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:37.913227081 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.913235903 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.913244963 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.913249016 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.913278103 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.913306952 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.913429022 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.913438082 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.913454056 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.913460970 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.913496971 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.913505077 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.913556099 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:37.913564920 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.170439005 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.215922117 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:38.497834921 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:38.502629995 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.616940975 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:38.621856928 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.621870041 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.621879101 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.621886969 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.621944904 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.621953964 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.622001886 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.622009993 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.622055054 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.622062922 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.622098923 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.622108936 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.622124910 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.622137070 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.795717955 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:38.840929985 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:39.067318916 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:39.072164059 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.226466894 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:39.231342077 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.231350899 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.231403112 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.231411934 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.231427908 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.231436014 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.231481075 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.231558084 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.231565952 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.231610060 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.231618881 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.231666088 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.231674910 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.231703043 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.365799904 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.419049025 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:39.591689110 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:39.596513033 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.793921947 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:39.794059992 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:39.798830032 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.798840046 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.798878908 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.798888922 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.798969030 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.798985958 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.799118042 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.799125910 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.799170971 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.799217939 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.799268961 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.799346924 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.799468040 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.799477100 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.799479961 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.889645100 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:39.934700012 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:40.044380903 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:40.049184084 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.336956024 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:40.341876030 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.341886044 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.341927052 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.342005968 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.342055082 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.342072010 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.342154026 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.342161894 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.342215061 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.342223883 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.342283964 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.342293978 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.342310905 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.342314959 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.383680105 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.387788057 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:40.477497101 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:40.482440948 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.844269037 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:40.887799978 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:41.031822920 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:41.036587954 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.271902084 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:41.277235985 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.277255058 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.277296066 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.277304888 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.282358885 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.282367945 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.282392025 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.282402992 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.282419920 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.282428026 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.282449961 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.282984018 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.283077002 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.283085108 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.331012011 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.372186899 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:41.489911079 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:41.494693041 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.778409004 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:41.783252954 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.783262968 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.783346891 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.783354998 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.783390999 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.783400059 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.783442020 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.783451080 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.783502102 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.783509970 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.783524990 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.783533096 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.783627033 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.783634901 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.791924000 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:41.840934992 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:41.863940954 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:41.911685944 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.156271935 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:42.161050081 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.185590982 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:42.190449953 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.190485001 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.190540075 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.190593004 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.190671921 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.190680981 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.190732002 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.190741062 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.190865040 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.190875053 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.190877914 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.190886021 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.190977097 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.190985918 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.285540104 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.340919018 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:42.419488907 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:42.424274921 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.486180067 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.530980110 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:42.631268024 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:42.636109114 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.636120081 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.636189938 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.636198997 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.636219978 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.636228085 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.636328936 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.636337996 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.636357069 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.636364937 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.636380911 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.636392117 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.636477947 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.636486053 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.653702974 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:42.658538103 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.717375040 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:42.762810946 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:42.927972078 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:42.932857037 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.080799103 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:43.086738110 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.086749077 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.086755991 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.086766005 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.086813927 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.086822033 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.086829901 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.086838961 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.086848021 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.086855888 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.086867094 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.086874962 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.086955070 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.086963892 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.135983944 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:43.138998032 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.140826941 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.187645912 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:43.345124006 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.392060041 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:43.392124891 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:43.396995068 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.551666021 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.622205973 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:43.709326982 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:43.714112997 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.736850023 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:43.741724968 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.741735935 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.741808891 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.741827011 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.741939068 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.741947889 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.741975069 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.741985083 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.742058039 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.742067099 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.742094994 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.742213964 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.742222071 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.742224932 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.763984919 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:43.809683084 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:44.007529974 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.062613964 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:44.107692003 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.219327927 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:44.224169016 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.372966051 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:44.377821922 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.461225986 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.482265949 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:44.487016916 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.508498907 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:44.513325930 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.513376951 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.513463020 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.513547897 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.513592005 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.513601065 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.513675928 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.513684988 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.513819933 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.513891935 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.513930082 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.513938904 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.514050007 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.514106989 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.578283072 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:44.583082914 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.667469025 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.670759916 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:44.675534964 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.763720989 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:44.768598080 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.809029102 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.856565952 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:44.857966900 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:44.862719059 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.943108082 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:44.948010921 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.948061943 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.948071957 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.948118925 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.948375940 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.948393106 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.948451042 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.948466063 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:44.961271048 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:44.966088057 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.044439077 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.049336910 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.056962967 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.106569052 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.123539925 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.171720982 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.173115969 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.177927971 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.218271971 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.223068953 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.245644093 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.266694069 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.311691999 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.341564894 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.346549988 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.376869917 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.382384062 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.388068914 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.392905951 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.435091972 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.439884901 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.481913090 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.486742020 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.494554043 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.528927088 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.579689026 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.581119061 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.586008072 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.638220072 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.643023014 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.677764893 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.687589884 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.735747099 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.740850925 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.745696068 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.779112101 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.781023979 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.815862894 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.820740938 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.820780993 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.820835114 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.820908070 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.821024895 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.821033955 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.821079016 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.863712072 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.864248037 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.869081020 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.888398886 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.893208981 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.932115078 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.937750101 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.987723112 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:45.990293026 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:45.995085955 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.028655052 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.034429073 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.075686932 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.081197977 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.114857912 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.120409966 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.120482922 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.125344038 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.171695948 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.171780109 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.176559925 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.218357086 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.223176956 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.263745070 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.268568993 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.321161032 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.336087942 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.339940071 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.340955973 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.344841003 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.344873905 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.344894886 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.344954967 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.345010996 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.345073938 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.345082998 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.355241060 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.376928091 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.423734903 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.434997082 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.439847946 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.444485903 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.483983994 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.531718969 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.532658100 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.537439108 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.575453043 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.575781107 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.580240965 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.624125957 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.624176979 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.626955986 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.631903887 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.667043924 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.684855938 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.731679916 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.731762886 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.736562967 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.736695051 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.741516113 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.741588116 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.746372938 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.746464014 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.751240015 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.751339912 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.762959957 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.763034105 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.767802000 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.767882109 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.772685051 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.772773027 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.777585983 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.777662992 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.782417059 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.782470942 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.787292004 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.787344933 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.792130947 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.792186022 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.794784069 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.794831991 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.799623966 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.813183069 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.821827888 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.826694012 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.826744080 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.826746941 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.826836109 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.826908112 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.826916933 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.826958895 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.831532955 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.837740898 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.849522114 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.849567890 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.895725012 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.895921946 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.900907040 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.904685020 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.921986103 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.967861891 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.967919111 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.972686052 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.972733974 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.977516890 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.977566004 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.982383013 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.982426882 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.987251997 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.988662004 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.993547916 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.993690014 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:46.998717070 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:46.998768091 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.004041910 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.013482094 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.024285078 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.061413050 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.061500072 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.109652996 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.109783888 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.110742092 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.110754013 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.110764980 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.110790014 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.110806942 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.114634991 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.116349936 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.123405933 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.123456955 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.128245115 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.128313065 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.133095980 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.133166075 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.137959957 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.138042927 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.142797947 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.142877102 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.147701025 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.147763968 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.152551889 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.152642965 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.153048038 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.153099060 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.157896996 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.157974958 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.189568043 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.194375038 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.194539070 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.199450970 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.199538946 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.207875013 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.207964897 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.249912977 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.254770994 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.254940033 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.259721041 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.259790897 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.281485081 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.281579971 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.315309048 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.320188046 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.320205927 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.320235014 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.320327044 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.320353031 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.320395947 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.320450068 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.320647001 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.325242996 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.325341940 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.341552973 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.341753960 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.373075008 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.373192072 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.419692039 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.419773102 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.424565077 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.424618959 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.429424047 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.429470062 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.434453964 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.434495926 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.439690113 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.439730883 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.444825888 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.444876909 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.450155020 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.450205088 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.455723047 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.455768108 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.460599899 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.460649014 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.464772940 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.464782953 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.464822054 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.469655037 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.474756002 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.498975992 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.498997927 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.499007940 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.499030113 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.499046087 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.521250010 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.521305084 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.559123039 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.559134960 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.559181929 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.611737967 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.611815929 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.615226984 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.615267038 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.615294933 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.617645979 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.617722988 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.620631933 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.620692968 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.623152018 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.623209953 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.627218008 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.627295017 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.628801107 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.632719040 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.633914948 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.638689995 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.638765097 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.643623114 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.643676996 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.645617008 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.645668983 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.650558949 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.650609970 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.695734024 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.696094990 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.700887918 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.701878071 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.703135967 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.704334974 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.707336903 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.707398891 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.744826078 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.749634027 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.749771118 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.762912035 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.763108969 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.787719011 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.787815094 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.821436882 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.826272964 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.826458931 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.831288099 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.831367970 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.835122108 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.836440086 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.836507082 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.839962959 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.840010881 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.840022087 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.840061903 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.840223074 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.841252089 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.841298103 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.846443892 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.846528053 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.878878117 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.883791924 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.883910894 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.888753891 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.888840914 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.913058043 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.913264990 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.963692904 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.963762045 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.968554974 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.968630075 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:47.971180916 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:47.971229076 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.019690990 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.019800901 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.024636984 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.050848007 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.055299997 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.055356979 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.060332060 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.060378075 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.062576056 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.062587976 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.062629938 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.067522049 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.067893982 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.119699001 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.119786024 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.124630928 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.124697924 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.129486084 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.129594088 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.130657911 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.130676985 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.130693913 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.130703926 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.130727053 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.130753040 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.135466099 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.135855913 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.142429113 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.142877102 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.178931952 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.178941965 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.178997040 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.227880955 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.227957010 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.232769966 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.232836962 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.234435081 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.268699884 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.268713951 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.268767118 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.315700054 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.321141005 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.324306965 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.325958014 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.326105118 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.330871105 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.333129883 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.337901115 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.339134932 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.343920946 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.344007015 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.348830938 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.349737883 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.354605913 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.354684114 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.354693890 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.354751110 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.354779005 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.354810953 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.354826927 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.354893923 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.355345011 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.355400085 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.360172987 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.363142967 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.413521051 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.414489031 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.414583921 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.421263933 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.423294067 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.428143978 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.431387901 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.438724041 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.439241886 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.444009066 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.447225094 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.452024937 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.455339909 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.460117102 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.463433981 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.468266964 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.471183062 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.475975990 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.479316950 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.484090090 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.487195969 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.491992950 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.495285988 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.500068903 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.503148079 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.506149054 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.506201029 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.511022091 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.511245012 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.547944069 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.551352024 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.594636917 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.594728947 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.638607025 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.638637066 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.638689041 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.683707952 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.684195042 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.686309099 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.686355114 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.688962936 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.691895008 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.696710110 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.696980000 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.701756954 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.702204943 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.706949949 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.713526011 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.718326092 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.729916096 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.730386019 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.730405092 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.730458021 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.775667906 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.775974989 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.787117958 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.787230968 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.787436008 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.804995060 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.805252075 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.851705074 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.851777077 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.852735043 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.856573105 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.856658936 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.857600927 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.857651949 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.857667923 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.857698917 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.857786894 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.857839108 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.857850075 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.857897997 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.861438990 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.861517906 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.862509966 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.862564087 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.866314888 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.866379976 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.867357016 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.867495060 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.867554903 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.896789074 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.897123098 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.943288088 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.947278976 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.991240978 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:48.995681047 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.996113062 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:48.996283054 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.001487970 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.003148079 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.007946014 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.011157990 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.015996933 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.019130945 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.023945093 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.027194977 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.031951904 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.035155058 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.038821936 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.038893938 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.043693066 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.047215939 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.082887888 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.083220005 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.094902992 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.095287085 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.127677917 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.132482052 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.135329962 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.140130043 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.143176079 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.173902035 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.175069094 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.175276995 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.178811073 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.178911924 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.183784962 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.184113026 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.231672049 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.231848001 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.236660004 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.241919041 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.246721029 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.247145891 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.252007008 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.254686117 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.259430885 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.259529114 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.264262915 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.264326096 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.265558004 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.306247950 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.306289911 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.306340933 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.306368113 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.306412935 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.338438034 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.338457108 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.338511944 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.350691080 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.351003885 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.361953020 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.366792917 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.366940022 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.366996050 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.367046118 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.367055893 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.367100000 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.367150068 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.392879009 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.427592993 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.427602053 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.427670002 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.451203108 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.451217890 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.451256037 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.451944113 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.484636068 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.484659910 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.484724998 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.514062881 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.514159918 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.559698105 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.562203884 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.567095041 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.568836927 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.571322918 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.571392059 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.576212883 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.576267004 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.609977007 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.614773989 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.617257118 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.622088909 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.625135899 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.653788090 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.656286001 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.688209057 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.693037033 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.693228960 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.698010921 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.701149940 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.747715950 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.749275923 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.769321918 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.773181915 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.778079033 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.778897047 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.783704042 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.785146952 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.789999962 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.793128014 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.797890902 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.801131010 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.805984020 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.809122086 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.813978910 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.817148924 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.821949959 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.822220087 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.822735071 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.867729902 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.867795944 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.868057013 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.868069887 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.868100882 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.868113995 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.872633934 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.872869968 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.876729012 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.882373095 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.887219906 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.887258053 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.887269020 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.887310982 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.887353897 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.887476921 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.887489080 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.887526035 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.892168045 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.892214060 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.917021990 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.917032003 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.917084932 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.967673063 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.967982054 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.972750902 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.986577034 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:49.988076925 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.988091946 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:49.988147974 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.031724930 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.032172918 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.036930084 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.037090063 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.041938066 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.042300940 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.047158003 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.047394037 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.052170038 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.052746058 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.057511091 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.057581902 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.059539080 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.059556007 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.059597015 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.064420938 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.072686911 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.072699070 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.072731972 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.074635983 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.074676991 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.074738979 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.119683981 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.119771004 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.121612072 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.121668100 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.121669054 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.121707916 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.123575926 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.123620987 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.124545097 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.128391981 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.128667116 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.135740042 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.135782957 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.140789986 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.140858889 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.145770073 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.145822048 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.150837898 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.150913000 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.155889034 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.155936956 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.160882950 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.160952091 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.165956020 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.165997982 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.170907974 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.170979023 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.175796032 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.175847054 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.180614948 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.180672884 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.185440063 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.185535908 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.190335035 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.190408945 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.195173979 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.195234060 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.199994087 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.200078011 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.204855919 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.204917908 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.208343029 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.208395958 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.213211060 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.213288069 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.259720087 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.259843111 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.264715910 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.264776945 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.269567013 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.269612074 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.274398088 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.274462938 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.279325008 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.279401064 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.281982899 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.282042027 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.286859035 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.286928892 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.321856022 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.326626062 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.326729059 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.331496000 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.331563950 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.351418972 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.351525068 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.383024931 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.387821913 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.387922049 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.392673969 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.392770052 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.402580976 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.407382965 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.407428026 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.407438993 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.407455921 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.407599926 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.407694101 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.407732964 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.407782078 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.412252903 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.412302017 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.413451910 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.443176031 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.443231106 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.484350920 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.484415054 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.494095087 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.494138956 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.539683104 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.539731026 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.544873953 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.544925928 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.549881935 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.549926996 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.554941893 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.554987907 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.559840918 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.559884071 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.566559076 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.566601038 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.571798086 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.571842909 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.577032089 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.577080965 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.581883907 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.581904888 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.581914902 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.581969976 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.585078955 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.631084919 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.631097078 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.631160021 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.664175034 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.668936014 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.669050932 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.673831940 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.676595926 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.681221962 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.691503048 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.691534042 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.691586018 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.717719078 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.717773914 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.762229919 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.762309074 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.807670116 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.807799101 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.809303999 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.812602043 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.813590050 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.818368912 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.818453074 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.823232889 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.823301077 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.831823111 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.831892967 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.853456974 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.853574038 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.858381033 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.858453989 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.863213062 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.863272905 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.868024111 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.868103027 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.872917891 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.872989893 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.877748966 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.877818108 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.882567883 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.882637024 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.887485981 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.887545109 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.892431974 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.892483950 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.893798113 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.897269011 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.897330999 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.898680925 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.898722887 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.898750067 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.898910999 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.898919106 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.899373055 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.903796911 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.903851986 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.937519073 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.942302942 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.942399979 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.951608896 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.951700926 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.980967045 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.980977058 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.981085062 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.981178045 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:50.994379044 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:50.994551897 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.029201031 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.029378891 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.075697899 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.076061964 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.080876112 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.081113100 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.085894108 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.086126089 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.090928078 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.090995073 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.095773935 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.096071959 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.100930929 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.101001024 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.105832100 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.105917931 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.110723972 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.110882044 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.115653038 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.137826920 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.142604113 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.143011093 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.147818089 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.148123980 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.151137114 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.151202917 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.155956984 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.156039000 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.172657013 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.172667027 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.172718048 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.187618971 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.187844038 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.192506075 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.192557096 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.197371960 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.197422981 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.197468996 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.229320049 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.229469061 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.251195908 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.251209974 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.251262903 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.299674988 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.299721003 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.304538965 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.304579020 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.309355974 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.313143969 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.317909002 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.321125984 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.325999022 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.326064110 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.328798056 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.328809977 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.328852892 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.328867912 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.371722937 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.373126984 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.379429102 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.379623890 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.384483099 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.385118961 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.389889002 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.391274929 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.391341925 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.391350985 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.391396046 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.396136999 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.396155119 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.396209002 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.396239042 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.396318913 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.396367073 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.396418095 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.396491051 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.397099972 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.401036024 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.401096106 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.404870987 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.404931068 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.409802914 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.412697077 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.412769079 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.463681936 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.465296030 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.466155052 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.470128059 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.474623919 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.479446888 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.481134892 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.485903025 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.486329079 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.491070032 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.493128061 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.497936964 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.501137972 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.505930901 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.509135962 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.513978004 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.517138004 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.522022009 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.525125027 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.529938936 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.533127069 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.537977934 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.541135073 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.545912981 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.549125910 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.553877115 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.556889057 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.556972027 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.584666014 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.585253000 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.608762026 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.609251976 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.616622925 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.617050886 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.667696953 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.667777061 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.672657013 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.673026085 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.676734924 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.677104950 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.681925058 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.682151079 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.700824022 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.700835943 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.700911999 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.751657963 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.751722097 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.762810946 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.762820005 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.762871027 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.786113977 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.786134005 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.786192894 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.831680059 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.833127975 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.837903976 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.837949991 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.842716932 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.846016884 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.849425077 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.856381893 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.856394053 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.856435061 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.872627974 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.872674942 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.905071020 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.909912109 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.909970045 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.909987926 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.910072088 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.910101891 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.910162926 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.910213947 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.924658060 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.924864054 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.948010921 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.948297024 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.995691061 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:51.996412039 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:51.996726990 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.001813889 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.021059036 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.025974035 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.026720047 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.031567097 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.032212973 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.037051916 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.037096977 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.042001963 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.042370081 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.057147980 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.057498932 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.062735081 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.063374996 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.068423033 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.069102049 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.074032068 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.074539900 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.079454899 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.079994917 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.085087061 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.085154057 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.089770079 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.090444088 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.095201015 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.096081972 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.112682104 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.113107920 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.155145884 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.161174059 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.204592943 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.205125093 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.251682043 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.252675056 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.267097950 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.271903038 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.296742916 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.336553097 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.371112108 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.375896931 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.377247095 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.382164955 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.385132074 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.387348890 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.392204046 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.392787933 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.392857075 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.425621986 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.428159952 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.429130077 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.430506945 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.430568933 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.435415983 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.437124014 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.476784945 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.477018118 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.523694992 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.524221897 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.529021978 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.529082060 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.533852100 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.533941984 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.538693905 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.538770914 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.543621063 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.544704914 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.549516916 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.551316977 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.556123018 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.556190014 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.560962915 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.561042070 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.565857887 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.566035032 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.568572044 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.569113016 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.573940039 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.573992968 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.619703054 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.620256901 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.620547056 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.625046015 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.625117064 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.629878044 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.630089045 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.634843111 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.634898901 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.639678001 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.639862061 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.644624949 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.645051003 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.649859905 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.650213003 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.654969931 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.655215979 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.659991026 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.660047054 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.664858103 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.664966106 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.669744968 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.670442104 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.675309896 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.675379992 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.680157900 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.680448055 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.683211088 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.683229923 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.683283091 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.688096046 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.688149929 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.711776018 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.711967945 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.736336946 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.736356020 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.736428022 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.777276993 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.777338982 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.825763941 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.825776100 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.825853109 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.870809078 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.875633955 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.875773907 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.875808001 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.875855923 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.875861883 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.880428076 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.880438089 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.880445004 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.880477905 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.885360003 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.885561943 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.910702944 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.910862923 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.959692001 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.961138964 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.962471962 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.962481022 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.962626934 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.965967894 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.966072083 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.967416048 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.969118118 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.970886946 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.970962048 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.973880053 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.975745916 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.975816965 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.980595112 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.981116056 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.985899925 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.989134073 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:52.993916035 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:52.997123957 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.002273083 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.005126953 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.009902000 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.013124943 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.017899990 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.021120071 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.025890112 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.037434101 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.042222023 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.045140028 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.049957037 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.052803040 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.052908897 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.085192919 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.090066910 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.090249062 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.095035076 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.095091105 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.096697092 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.096744061 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.101716042 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.101774931 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.136766911 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.136850119 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.172133923 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.172168970 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.172218084 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.219707966 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.219819069 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.224647999 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.224749088 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.229536057 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.229598999 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.234361887 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.234424114 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.239270926 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.239336014 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.244137049 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.244203091 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.259476900 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.259556055 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.307672977 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.307738066 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.312535048 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.312592030 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.317379951 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.317428112 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.322238922 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.322282076 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.327172041 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.327240944 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.331978083 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.335372925 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.340150118 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.340189934 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.341810942 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.345160961 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.345207930 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.346277952 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.346322060 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.346676111 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.346765041 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.346839905 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.346898079 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.346956015 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.347007036 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.347039938 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.386353970 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.386367083 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.386406898 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.435698986 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.435745955 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.440500975 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.443224907 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.444355965 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.491691113 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.491735935 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.496545076 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.496597052 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.501369953 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.501451015 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.506239891 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.506299019 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.511111975 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.511169910 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.515933990 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.515985012 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.521020889 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.521080017 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.526118040 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.526201963 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.527628899 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.527676105 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.532438993 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.532504082 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.534960985 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.534979105 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.535021067 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.535041094 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.579776049 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.579900980 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.583617926 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.583682060 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.584914923 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.584990978 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.588612080 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.588663101 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.589976072 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.590049982 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.593153000 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.593209028 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.594986916 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.595036030 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.600351095 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.600435019 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.634547949 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.639446974 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.639549971 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.644299984 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.644366026 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.671730042 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.671814919 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.719810009 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.719871998 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.724688053 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.724792004 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.726262093 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.763593912 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.763688087 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.800208092 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.805028915 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.805134058 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.809927940 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.809995890 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.811477900 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.839695930 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.844520092 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.844613075 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.844613075 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.844625950 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.844698906 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.844779015 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.844815016 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.844816923 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.844860077 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.849416971 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.849512100 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.854315042 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.854466915 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.856612921 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.856622934 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.856662035 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.861413956 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.862549067 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.903211117 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.903220892 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.903275013 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.944175005 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.944185972 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.944233894 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.948122025 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.948175907 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.952965975 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.953018904 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:53.999849081 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:53.999898911 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.004750013 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.006515026 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.011286974 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.011353016 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.016139030 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.016185045 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.021002054 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.023438931 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.028239965 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.028283119 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.033104897 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.057451963 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.076006889 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.091521025 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.091639996 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.099466085 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.099477053 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.099549055 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.114978075 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.117146015 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.149250984 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.155232906 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.157166958 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.163283110 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.165132999 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.169133902 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.169143915 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.169188023 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.174099922 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.177135944 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.212456942 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.217272043 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.221154928 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.225970984 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.245759010 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.248697996 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.248753071 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.253560066 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.254717112 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.268671989 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.268914938 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.304594994 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.305001020 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.312767982 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.313132048 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.337353945 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.339529991 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.346339941 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.349154949 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.353105068 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.357918024 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.358000994 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.358062029 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.358150959 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.358325958 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.358345985 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.360543013 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.363059044 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.395076990 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.399919987 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.401150942 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.405922890 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.409143925 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.437376022 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.442167997 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.445167065 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.448738098 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.448749065 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.448802948 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.453629971 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.454185963 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.486906052 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.486915112 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.486967087 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.511822939 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.511832952 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.511893988 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.511904955 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.529000998 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.529057026 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.575711966 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.575937986 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.578485012 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.580862999 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.581113100 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.585891962 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.585944891 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.590732098 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.591130018 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.595937967 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.596008062 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.600786924 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.600861073 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.605649948 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.605819941 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.610608101 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.610654116 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.615442991 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.615551949 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.620300055 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.620368958 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.626132011 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.626179934 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.630966902 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.631949902 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.638062954 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.638117075 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.644123077 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.644176960 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.650799036 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.650854111 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.656923056 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.657109022 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.663527966 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.663767099 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.667597055 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.667607069 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.667651892 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.673791885 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.674231052 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.700458050 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.700468063 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.700520039 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.717654943 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.717724085 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.724931955 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.724978924 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.744700909 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.744750977 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.744770050 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.762270927 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.765172958 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.800802946 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.805598974 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.809164047 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.810966015 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.811017036 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.815790892 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.821136951 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.855571985 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.860424042 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.860506058 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.860547066 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.860553026 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.860656023 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.860703945 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.860713959 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.865293980 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.865354061 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.892360926 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.892425060 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.912822962 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.914150953 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.947143078 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.949137926 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.950449944 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.950504065 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.952327013 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.952383995 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.955323935 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.957134008 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.961993933 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.965136051 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:54.983963966 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:54.985235929 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.031672955 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.033240080 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.037228107 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.038048029 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.038125992 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.042943954 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.044222116 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.049052000 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.053129911 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.057910919 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.061139107 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.065902948 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.075684071 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.076864004 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.076917887 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.108936071 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.108948946 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.108959913 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.109111071 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.124779940 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.125029087 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.167284012 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.167294025 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.167355061 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.195455074 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.195544004 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.243721008 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.244137049 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.248980999 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.259073019 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.287233114 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.287292004 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.303637981 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.315185070 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.315203905 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.315253973 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.369369984 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.374017954 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.374028921 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.374073029 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.378849983 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.378948927 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.411828041 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.416641951 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.416703939 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.416743994 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.416780949 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.416845083 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.416904926 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.416917086 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.416951895 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.416970015 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.421555996 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.425121069 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.429924965 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.429969072 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.460882902 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.461007118 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.503403902 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.504415989 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.521605968 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.523942947 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.568952084 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.571676016 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.573134899 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.573864937 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.573930979 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.577909946 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.578701973 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.578768969 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.583580017 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.585124016 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.589978933 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.591104031 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.595906973 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.595999956 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.619055033 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.653067112 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.657835007 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.661159992 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.666022062 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.669116020 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.682634115 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.685141087 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.710607052 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.713247061 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.744688034 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.745253086 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.776686907 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.777144909 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.823688030 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.823765039 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.828690052 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.828866959 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.833744049 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.834177017 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.838946104 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.841125011 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.846050978 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.849127054 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.853926897 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.857142925 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.865633965 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.868426085 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.868436098 CET	63701	52312	154.82.113.139	192.168.2.4
Jan 8, 2025 08:59:55.868489981 CET	52312	63701	192.168.2.4	154.82.113.139
Jan 8, 2025 08:59:55.891362906 CET	52312	63701	192.168.2.4	154.82.113.139

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Type
Jan 8, 2025 08:58:42.654100895 CET	192.168.2.4	154.82.113.139	bc28	Echo
Jan 8, 2025 08:58:42.959244967 CET	154.82.113.139	192.168.2.4	c428	Echo Reply
Jan 8, 2025 08:58:43.966038942 CET	192.168.2.4	154.82.113.139	ca21	Echo
Jan 8, 2025 08:58:44.270998001 CET	154.82.113.139	192.168.2.4	d221	Echo Reply
Jan 8, 2025 08:58:45.281239033 CET	192.168.2.4	154.82.113.139	907b	Echo
Jan 8, 2025 08:58:45.586198092 CET	154.82.113.139	192.168.2.4	987b	Echo Reply
Jan 8, 2025 08:58:46.591588974 CET	192.168.2.4	154.82.113.139	1b4a	Echo
Jan 8, 2025 08:58:46.896518946 CET	154.82.113.139	192.168.2.4	234a	Echo Reply
Jan 8, 2025 08:58:49.092173100 CET	192.168.2.4	154.82.113.139	6631	Echo
Jan 8, 2025 08:58:49.397305965 CET	154.82.113.139	192.168.2.4	6e31	Echo Reply
Jan 8, 2025 08:58:50.403589964 CET	192.168.2.4	154.82.113.139	742a	Echo
Jan 8, 2025 08:58:50.708703041 CET	154.82.113.139	192.168.2.4	7c2a	Echo Reply
Jan 8, 2025 08:58:51.716083050 CET	192.168.2.4	154.82.113.139	8123	Echo
Jan 8, 2025 08:58:52.021518946 CET	154.82.113.139	192.168.2.4	8923	Echo Reply
Jan 8, 2025 08:58:53.028531075 CET	192.168.2.4	154.82.113.139	901c	Echo
Jan 8, 2025 08:58:53.333477020 CET	154.82.113.139	192.168.2.4	981c	Echo Reply
Jan 8, 2025 08:58:55.467039108 CET	192.168.2.4	154.82.113.139	9fed	Echo
Jan 8, 2025 08:58:55.771895885 CET	154.82.113.139	192.168.2.4	a7ed	Echo Reply
Jan 8, 2025 08:58:56.778541088 CET	192.168.2.4	154.82.113.139	6647	Echo
Jan 8, 2025 08:58:57.083379984 CET	154.82.113.139	192.168.2.4	6e47	Echo Reply
Jan 8, 2025 08:58:58.097542048 CET	192.168.2.4	154.82.113.139	a976	Echo
Jan 8, 2025 08:58:58.536803007 CET	154.82.113.139	192.168.2.4	b176	Echo Reply
Jan 8, 2025 08:58:59.544142962 CET	192.168.2.4	154.82.113.139	ae99	Echo
Jan 8, 2025 08:58:59.848974943 CET	154.82.113.139	192.168.2.4	b699	Echo Reply
Jan 8, 2025 08:59:01.982300043 CET	192.168.2.4	154.82.113.139	c6bf	Echo
Jan 8, 2025 08:59:02.287086964 CET	154.82.113.139	192.168.2.4	cebf	Echo Reply
Jan 8, 2025 08:59:03.294137955 CET	192.168.2.4	154.82.113.139	8d19	Echo
Jan 8, 2025 08:59:03.598845005 CET	154.82.113.139	192.168.2.4	9519	Echo Reply
Jan 8, 2025 08:59:04.606699944 CET	192.168.2.4	154.82.113.139	9b12	Echo
Jan 8, 2025 08:59:04.911477089 CET	154.82.113.139	192.168.2.4	a312	Echo Reply
Jan 8, 2025 08:59:05.919286013 CET	192.168.2.4	154.82.113.139	a90b	Echo
Jan 8, 2025 08:59:06.224297047 CET	154.82.113.139	192.168.2.4	b10b	Echo Reply
Jan 8, 2025 08:59:08.357749939 CET	192.168.2.4	154.82.113.139	c131	Echo
Jan 8, 2025 08:59:08.662522078 CET	154.82.113.139	192.168.2.4	c931	Echo Reply
Jan 8, 2025 08:59:09.669256926 CET	192.168.2.4	154.82.113.139	888b	Echo
Jan 8, 2025 08:59:09.974041939 CET	154.82.113.139	192.168.2.4	908b	Echo Reply
Jan 8, 2025 08:59:10.981756926 CET	192.168.2.4	154.82.113.139	9584	Echo
Jan 8, 2025 08:59:11.286642075 CET	154.82.113.139	192.168.2.4	9d84	Echo Reply
Jan 8, 2025 08:59:12.294492006 CET	192.168.2.4	154.82.113.139	a37d	Echo
Jan 8, 2025 08:59:12.599225998 CET	154.82.113.139	192.168.2.4	ab7d	Echo Reply
Jan 8, 2025 08:59:14.732830048 CET	192.168.2.4	154.82.113.139	5ea3	Echo
Jan 8, 2025 08:59:15.037590027 CET	154.82.113.139	192.168.2.4	66a3	Echo Reply
Jan 8, 2025 08:59:16.062398911 CET	192.168.2.4	154.82.113.139	19a6	Echo
Jan 8, 2025 08:59:16.367295027 CET	154.82.113.139	192.168.2.4	21a6	Echo Reply
Jan 8, 2025 08:59:17.372437954 CET	192.168.2.4	154.82.113.139	6efd	Echo
Jan 8, 2025 08:59:17.677330971 CET	154.82.113.139	192.168.2.4	76fd	Echo Reply
Jan 8, 2025 08:59:18.697741032 CET	192.168.2.4	154.82.113.139	b165	Echo
Jan 8, 2025 08:59:19.002671957 CET	154.82.113.139	192.168.2.4	b965	Echo Reply
Jan 8, 2025 08:59:21.171719074 CET	192.168.2.4	154.82.113.139	f709	Echo
Jan 8, 2025 08:59:21.476593018 CET	154.82.113.139	192.168.2.4	ff09	Echo Reply
Jan 8, 2025 08:59:22.481709003 CET	192.168.2.4	154.82.113.139	19a4	Echo
Jan 8, 2025 08:59:22.786633015 CET	154.82.113.139	192.168.2.4	21a4	Echo Reply
Jan 8, 2025 08:59:23.794217110 CET	192.168.2.4	154.82.113.139	5684	Echo
Jan 8, 2025 08:59:24.099015951 CET	154.82.113.139	192.168.2.4	5e84	Echo Reply
Jan 8, 2025 08:59:25.106703043 CET	192.168.2.4	154.82.113.139	3942	Echo
Jan 8, 2025 08:59:25.411634922 CET	154.82.113.139	192.168.2.4	4142	Echo Reply
Jan 8, 2025 08:59:27.544855118 CET	192.168.2.4	154.82.113.139	2225	Echo
Jan 8, 2025 08:59:27.849782944 CET	154.82.113.139	192.168.2.4	2a25	Echo Reply
Jan 8, 2025 08:59:28.857209921 CET	192.168.2.4	154.82.113.139	9a39	Echo
Jan 8, 2025 08:59:29.930932045 CET	154.82.113.139	192.168.2.4	a239	Echo Reply
Jan 8, 2025 08:59:30.934839964 CET	192.168.2.4	154.82.113.139	5d4d	Echo
Jan 8, 2025 08:59:31.239630938 CET	154.82.113.139	192.168.2.4	654d	Echo Reply
Jan 8, 2025 08:59:32.247431993 CET	192.168.2.4	154.82.113.139	aa9e	Echo
Jan 8, 2025 08:59:32.552238941 CET	154.82.113.139	192.168.2.4	b29e	Echo Reply
Jan 8, 2025 08:59:34.685549974 CET	192.168.2.4	154.82.113.139	fd78	Echo
Jan 8, 2025 08:59:34.990447998 CET	154.82.113.139	192.168.2.4	579	Echo Reply
Jan 8, 2025 08:59:35.997540951 CET	192.168.2.4	154.82.113.139	66a9	Echo
Jan 8, 2025 08:59:36.302793026 CET	154.82.113.139	192.168.2.4	6ea9	Echo Reply
Jan 8, 2025 08:59:37.310391903 CET	192.168.2.4	154.82.113.139	ce11	Echo
Jan 8, 2025 08:59:37.615175962 CET	154.82.113.139	192.168.2.4	d611	Echo Reply
Jan 8, 2025 08:59:38.622391939 CET	192.168.2.4	154.82.113.139	c91a	Echo
Jan 8, 2025 08:59:38.934783936 CET	154.82.113.139	192.168.2.4	d11a	Echo Reply
Jan 8, 2025 08:59:41.257945061 CET	192.168.2.4	154.82.113.139	c320	Echo
Jan 8, 2025 08:59:41.709882021 CET	154.82.113.139	192.168.2.4	cb20	Echo Reply
Jan 8, 2025 08:59:42.717432976 CET	192.168.2.4	154.82.113.139	acf7	Echo
Jan 8, 2025 08:59:43.023461103 CET	154.82.113.139	192.168.2.4	b4f7	Echo Reply
Jan 8, 2025 08:59:44.037252903 CET	192.168.2.4	154.82.113.139	f17f	Echo
Jan 8, 2025 08:59:44.342180014 CET	154.82.113.139	192.168.2.4	f97f	Echo Reply
Jan 8, 2025 08:59:45.356728077 CET	192.168.2.4	154.82.113.139	ba22	Echo
Jan 8, 2025 08:59:45.661560059 CET	154.82.113.139	192.168.2.4	c222	Echo Reply
Jan 8, 2025 08:59:47.796581030 CET	192.168.2.4	154.82.113.139	a5a2	Echo
Jan 8, 2025 08:59:48.101593018 CET	154.82.113.139	192.168.2.4	ada2	Echo Reply
Jan 8, 2025 08:59:49.106822014 CET	192.168.2.4	154.82.113.139	cb77	Echo
Jan 8, 2025 08:59:49.411566973 CET	154.82.113.139	192.168.2.4	d377	Echo Reply
Jan 8, 2025 08:59:50.419198990 CET	192.168.2.4	154.82.113.139	9fee	Echo
Jan 8, 2025 08:59:50.724069118 CET	154.82.113.139	192.168.2.4	a7ee	Echo Reply
Jan 8, 2025 08:59:51.731844902 CET	192.168.2.4	154.82.113.139	cfab	Echo
Jan 8, 2025 08:59:52.036595106 CET	154.82.113.139	192.168.2.4	d7ab	Echo Reply
Jan 8, 2025 08:59:54.170641899 CET	192.168.2.4	154.82.113.139	8391	Echo
Jan 8, 2025 08:59:54.475481987 CET	154.82.113.139	192.168.2.4	8b91	Echo Reply
Jan 8, 2025 08:59:55.481733084 CET	192.168.2.4	154.82.113.139	956e	Echo
Jan 8, 2025 08:59:55.786664963 CET	154.82.113.139	192.168.2.4	9d6e	Echo Reply
Jan 8, 2025 08:59:56.794507027 CET	192.168.2.4	154.82.113.139	faf5	Echo
Jan 8, 2025 08:59:57.099406004 CET	154.82.113.139	192.168.2.4	2f6	Echo Reply
Jan 8, 2025 08:59:58.106817961 CET	192.168.2.4	154.82.113.139	2160	Echo
Jan 8, 2025 08:59:58.411643982 CET	154.82.113.139	192.168.2.4	2960	Echo Reply
Jan 8, 2025 09:00:00.563724041 CET	192.168.2.4	154.82.113.139	c121	Echo
Jan 8, 2025 09:00:00.868664026 CET	154.82.113.139	192.168.2.4	c921	Echo Reply
Jan 8, 2025 09:00:01.888232946 CET	192.168.2.4	154.82.113.139	fb0a	Echo
Jan 8, 2025 09:00:02.193104029 CET	154.82.113.139	192.168.2.4	30b	Echo Reply
Jan 8, 2025 09:00:03.200511932 CET	192.168.2.4	154.82.113.139	9c46	Echo
Jan 8, 2025 09:00:03.505373955 CET	154.82.113.139	192.168.2.4	a446	Echo Reply
Jan 8, 2025 09:00:04.516344070 CET	192.168.2.4	154.82.113.139	5bbb	Echo
Jan 8, 2025 09:00:04.821264982 CET	154.82.113.139	192.168.2.4	63bb	Echo Reply
Jan 8, 2025 09:00:07.154519081 CET	192.168.2.4	154.82.113.139	dc5	Echo
Jan 8, 2025 09:00:07.459362030 CET	154.82.113.139	192.168.2.4	15c5	Echo Reply
Jan 8, 2025 09:00:08.466469049 CET	192.168.2.4	154.82.113.139	8e70	Echo
Jan 8, 2025 09:00:08.772434950 CET	154.82.113.139	192.168.2.4	9670	Echo Reply
Jan 8, 2025 09:00:09.778682947 CET	192.168.2.4	154.82.113.139	a385	Echo
Jan 8, 2025 09:00:10.083515882 CET	154.82.113.139	192.168.2.4	ab85	Echo Reply
Jan 8, 2025 09:00:11.091273069 CET	192.168.2.4	154.82.113.139	9e84	Echo
Jan 8, 2025 09:00:11.396112919 CET	154.82.113.139	192.168.2.4	a684	Echo Reply
Jan 8, 2025 09:00:13.546879053 CET	192.168.2.4	154.82.113.139	bf78	Echo
Jan 8, 2025 09:00:13.851790905 CET	154.82.113.139	192.168.2.4	c778	Echo Reply
Jan 8, 2025 09:00:14.857034922 CET	192.168.2.4	154.82.113.139	fe95	Echo
Jan 8, 2025 09:00:15.162046909 CET	154.82.113.139	192.168.2.4	696	Echo Reply
Jan 8, 2025 09:00:16.169269085 CET	192.168.2.4	154.82.113.139	b5bf	Echo
Jan 8, 2025 09:00:16.475577116 CET	154.82.113.139	192.168.2.4	bdbf	Echo Reply
Jan 8, 2025 09:00:17.481971025 CET	192.168.2.4	154.82.113.139	c42d	Echo
Jan 8, 2025 09:00:17.786748886 CET	154.82.113.139	192.168.2.4	cc2d	Echo Reply
Jan 8, 2025 09:00:20.125334024 CET	192.168.2.4	154.82.113.139	94be	Echo
Jan 8, 2025 09:00:20.430254936 CET	154.82.113.139	192.168.2.4	9cbe	Echo Reply
Jan 8, 2025 09:00:21.434989929 CET	192.168.2.4	154.82.113.139	c531	Echo
Jan 8, 2025 09:00:21.740065098 CET	154.82.113.139	192.168.2.4	cd31	Echo Reply
Jan 8, 2025 09:00:22.747647047 CET	192.168.2.4	154.82.113.139	1f73	Echo
Jan 8, 2025 09:00:23.052526951 CET	154.82.113.139	192.168.2.4	2773	Echo Reply
Jan 8, 2025 09:00:24.059885025 CET	192.168.2.4	154.82.113.139	fc24	Echo
Jan 8, 2025 09:00:24.364800930 CET	154.82.113.139	192.168.2.4	425	Echo Reply
Jan 8, 2025 09:00:26.499962091 CET	192.168.2.4	154.82.113.139	5ea6	Echo
Jan 8, 2025 09:00:26.804905891 CET	154.82.113.139	192.168.2.4	66a6	Echo Reply
Jan 8, 2025 09:00:27.809932947 CET	192.168.2.4	154.82.113.139	2ea5	Echo
Jan 8, 2025 09:00:28.114722967 CET	154.82.113.139	192.168.2.4	36a5	Echo Reply
Jan 8, 2025 09:00:29.123809099 CET	192.168.2.4	154.82.113.139	d227	Echo
Jan 8, 2025 09:00:29.428792953 CET	154.82.113.139	192.168.2.4	da27	Echo Reply
Jan 8, 2025 09:00:30.434881926 CET	192.168.2.4	154.82.113.139	c40e	Echo
Jan 8, 2025 09:00:30.739743948 CET	154.82.113.139	192.168.2.4	cc0e	Echo Reply
Jan 8, 2025 09:00:32.919002056 CET	192.168.2.4	154.82.113.139	4e42	Echo
Jan 8, 2025 09:00:33.223985910 CET	154.82.113.139	192.168.2.4	5642	Echo Reply
Jan 8, 2025 09:00:34.244337082 CET	192.168.2.4	154.82.113.139	6a07	Echo
Jan 8, 2025 09:00:34.549132109 CET	154.82.113.139	192.168.2.4	7207	Echo Reply
Jan 8, 2025 09:00:35.559906960 CET	192.168.2.4	154.82.113.139	c14c	Echo
Jan 8, 2025 09:00:35.864779949 CET	154.82.113.139	192.168.2.4	c94c	Echo Reply
Jan 8, 2025 09:00:36.872462034 CET	192.168.2.4	154.82.113.139	12cf	Echo
Jan 8, 2025 09:00:37.177277088 CET	154.82.113.139	192.168.2.4	1acf	Echo Reply
Jan 8, 2025 09:00:39.316950083 CET	192.168.2.4	154.82.113.139	cc27	Echo
Jan 8, 2025 09:00:39.621784925 CET	154.82.113.139	192.168.2.4	d427	Echo Reply
Jan 8, 2025 09:00:40.643241882 CET	192.168.2.4	154.82.113.139	2d39	Echo
Jan 8, 2025 09:00:40.948105097 CET	154.82.113.139	192.168.2.4	3539	Echo Reply
Jan 8, 2025 09:00:41.950536013 CET	192.168.2.4	154.82.113.139	fbf4	Echo
Jan 8, 2025 09:00:42.255573988 CET	154.82.113.139	192.168.2.4	3f5	Echo Reply
Jan 8, 2025 09:00:43.285478115 CET	192.168.2.4	154.82.113.139	e072	Echo
Jan 8, 2025 09:00:43.590368986 CET	154.82.113.139	192.168.2.4	e872	Echo Reply
Jan 8, 2025 09:00:45.750298023 CET	192.168.2.4	154.82.113.139	be81	Echo
Jan 8, 2025 09:00:46.055211067 CET	154.82.113.139	192.168.2.4	c681	Echo Reply
Jan 8, 2025 09:00:47.059920073 CET	192.168.2.4	154.82.113.139	ccc2	Echo
Jan 8, 2025 09:00:47.364808083 CET	154.82.113.139	192.168.2.4	d4c2	Echo Reply
Jan 8, 2025 09:00:48.375468016 CET	192.168.2.4	154.82.113.139	2aa7	Echo
Jan 8, 2025 09:00:48.680480003 CET	154.82.113.139	192.168.2.4	32a7	Echo Reply
Jan 8, 2025 09:00:49.685044050 CET	192.168.2.4	154.82.113.139	93a9	Echo
Jan 8, 2025 09:00:49.989804983 CET	154.82.113.139	192.168.2.4	9ba9	Echo Reply
Jan 8, 2025 09:00:52.124471903 CET	192.168.2.4	154.82.113.139	33a8	Echo
Jan 8, 2025 09:00:52.429599047 CET	154.82.113.139	192.168.2.4	3ba8	Echo Reply
Jan 8, 2025 09:00:53.435086966 CET	192.168.2.4	154.82.113.139	9d49	Echo
Jan 8, 2025 09:00:53.739948034 CET	154.82.113.139	192.168.2.4	a549	Echo Reply
Jan 8, 2025 09:00:54.747603893 CET	192.168.2.4	154.82.113.139	c086	Echo
Jan 8, 2025 09:00:55.052511930 CET	154.82.113.139	192.168.2.4	c886	Echo Reply
Jan 8, 2025 09:00:56.059989929 CET	192.168.2.4	154.82.113.139	1e41	Echo
Jan 8, 2025 09:00:56.366962910 CET	154.82.113.139	192.168.2.4	2641	Echo Reply
Jan 8, 2025 09:00:58.515254974 CET	192.168.2.4	154.82.113.139	b2f2	Echo
Jan 8, 2025 09:00:58.820080996 CET	154.82.113.139	192.168.2.4	baf2	Echo Reply
Jan 8, 2025 09:00:59.825614929 CET	192.168.2.4	154.82.113.139	a48d	Echo
Jan 8, 2025 09:01:00.130513906 CET	154.82.113.139	192.168.2.4	ac8d	Echo Reply
Jan 8, 2025 09:01:01.161684990 CET	192.168.2.4	154.82.113.139	5572	Echo
Jan 8, 2025 09:01:01.466701031 CET	154.82.113.139	192.168.2.4	5d72	Echo Reply
Jan 8, 2025 09:01:02.488293886 CET	192.168.2.4	154.82.113.139	c15e	Echo
Jan 8, 2025 09:01:02.793311119 CET	154.82.113.139	192.168.2.4	c95e	Echo Reply
Jan 8, 2025 09:01:04.942274094 CET	192.168.2.4	154.82.113.139	be96	Echo
Jan 8, 2025 09:01:05.247155905 CET	154.82.113.139	192.168.2.4	c696	Echo Reply
Jan 8, 2025 09:01:06.263175964 CET	192.168.2.4	154.82.113.139	8c94	Echo
Jan 8, 2025 09:01:06.568160057 CET	154.82.113.139	192.168.2.4	9494	Echo Reply
Jan 8, 2025 09:01:07.575645924 CET	192.168.2.4	154.82.113.139	bc23	Echo
Jan 8, 2025 09:01:07.880548000 CET	154.82.113.139	192.168.2.4	c423	Echo Reply
Jan 8, 2025 09:01:08.888077021 CET	192.168.2.4	154.82.113.139	7d34	Echo
Jan 8, 2025 09:01:09.192955971 CET	154.82.113.139	192.168.2.4	8534	Echo Reply
Jan 8, 2025 09:01:11.327527046 CET	192.168.2.4	154.82.113.139	63f2	Echo
Jan 8, 2025 09:01:11.632286072 CET	154.82.113.139	192.168.2.4	6bf2	Echo Reply
Jan 8, 2025 09:01:12.638081074 CET	192.168.2.4	154.82.113.139	3629	Echo
Jan 8, 2025 09:01:12.943155050 CET	154.82.113.139	192.168.2.4	3e29	Echo Reply
Jan 8, 2025 09:01:13.950812101 CET	192.168.2.4	154.82.113.139	dd08	Echo
Jan 8, 2025 09:01:14.255717039 CET	154.82.113.139	192.168.2.4	e508	Echo Reply
Jan 8, 2025 09:01:15.263191938 CET	192.168.2.4	154.82.113.139	aa21	Echo
Jan 8, 2025 09:01:15.568295002 CET	154.82.113.139	192.168.2.4	b221	Echo Reply
Jan 8, 2025 09:01:17.710767031 CET	192.168.2.4	154.82.113.139	e020	Echo
Jan 8, 2025 09:01:18.015814066 CET	154.82.113.139	192.168.2.4	e820	Echo Reply
Jan 8, 2025 09:01:19.028851032 CET	192.168.2.4	154.82.113.139	819b	Echo
Jan 8, 2025 09:01:19.334412098 CET	154.82.113.139	192.168.2.4	899b	Echo Reply
Jan 8, 2025 09:01:20.341212034 CET	192.168.2.4	154.82.113.139	b2d6	Echo
Jan 8, 2025 09:01:20.647835016 CET	154.82.113.139	192.168.2.4	bad6	Echo Reply
Jan 8, 2025 09:01:21.653822899 CET	192.168.2.4	154.82.113.139	8132	Echo
Jan 8, 2025 09:01:21.958825111 CET	154.82.113.139	192.168.2.4	8932	Echo Reply
Jan 8, 2025 09:01:24.093769073 CET	192.168.2.4	154.82.113.139	f4d3	Echo
Jan 8, 2025 09:01:24.398655891 CET	154.82.113.139	192.168.2.4	fcd3	Echo Reply
Jan 8, 2025 09:01:25.403774977 CET	192.168.2.4	154.82.113.139	107c	Echo
Jan 8, 2025 09:01:25.708622932 CET	154.82.113.139	192.168.2.4	187c	Echo Reply
Jan 8, 2025 09:01:26.716216087 CET	192.168.2.4	154.82.113.139	eb7d	Echo
Jan 8, 2025 09:01:27.021153927 CET	154.82.113.139	192.168.2.4	f37d	Echo Reply
Jan 8, 2025 09:01:28.029479027 CET	192.168.2.4	154.82.113.139	ca0e	Echo
Jan 8, 2025 09:01:28.334335089 CET	154.82.113.139	192.168.2.4	d20e	Echo Reply
Jan 8, 2025 09:01:30.484545946 CET	192.168.2.4	154.82.113.139	92b7	Echo
Jan 8, 2025 09:01:30.789494038 CET	154.82.113.139	192.168.2.4	9ab7	Echo Reply
Jan 8, 2025 09:01:31.810038090 CET	192.168.2.4	154.82.113.139	9d52	Echo
Jan 8, 2025 09:01:32.766716957 CET	154.82.113.139	192.168.2.4	a552	Echo Reply
Jan 8, 2025 09:01:33.791661978 CET	192.168.2.4	154.82.113.139	ed8f	Echo
Jan 8, 2025 09:01:34.096703053 CET	154.82.113.139	192.168.2.4	f58f	Echo Reply
Jan 8, 2025 09:01:35.106930017 CET	192.168.2.4	154.82.113.139	8f60	Echo
Jan 8, 2025 09:01:35.412029982 CET	154.82.113.139	192.168.2.4	9760	Echo Reply
Jan 8, 2025 09:01:37.779722929 CET	192.168.2.4	154.82.113.139	cc50	Echo
Jan 8, 2025 09:01:38.084631920 CET	154.82.113.139	192.168.2.4	d450	Echo Reply
Jan 8, 2025 09:01:39.092176914 CET	192.168.2.4	154.82.113.139	741e	Echo
Jan 8, 2025 09:01:40.250924110 CET	154.82.113.139	192.168.2.4	7c1e	Echo Reply
Jan 8, 2025 09:01:41.263103008 CET	192.168.2.4	154.82.113.139	6e64	Echo
Jan 8, 2025 09:01:41.568062067 CET	154.82.113.139	192.168.2.4	7664	Echo Reply
Jan 8, 2025 09:01:42.575633049 CET	192.168.2.4	154.82.113.139	5732	Echo
Jan 8, 2025 09:01:42.880568981 CET	154.82.113.139	192.168.2.4	5f32	Echo Reply
Jan 8, 2025 09:01:45.014590025 CET	192.168.2.4	154.82.113.139	b1a3	Echo
Jan 8, 2025 09:01:45.319459915 CET	154.82.113.139	192.168.2.4	b9a3	Echo Reply
Jan 8, 2025 09:01:46.325640917 CET	192.168.2.4	154.82.113.139	3893	Echo
Jan 8, 2025 09:01:46.630521059 CET	154.82.113.139	192.168.2.4	4093	Echo Reply
Jan 8, 2025 09:01:47.638189077 CET	192.168.2.4	154.82.113.139	9019	Echo
Jan 8, 2025 09:01:47.943068981 CET	154.82.113.139	192.168.2.4	9819	Echo Reply
Jan 8, 2025 09:01:48.953824997 CET	192.168.2.4	154.82.113.139	393f	Echo
Jan 8, 2025 09:01:49.258807898 CET	154.82.113.139	192.168.2.4	413f	Echo Reply
Jan 8, 2025 09:01:51.432403088 CET	192.168.2.4	154.82.113.139	56a4	Echo
Jan 8, 2025 09:01:51.745141983 CET	154.82.113.139	192.168.2.4	5ea4	Echo Reply
Jan 8, 2025 09:01:52.749200106 CET	192.168.2.4	154.82.113.139	ea7b	Echo
Jan 8, 2025 09:01:53.054182053 CET	154.82.113.139	192.168.2.4	f27b	Echo Reply
Jan 8, 2025 09:01:54.063282013 CET	192.168.2.4	154.82.113.139	df65	Echo
Jan 8, 2025 09:01:54.368186951 CET	154.82.113.139	192.168.2.4	e765	Echo Reply
Jan 8, 2025 09:01:55.372520924 CET	192.168.2.4	154.82.113.139	386e	Echo
Jan 8, 2025 09:01:55.855623007 CET	154.82.113.139	192.168.2.4	406e	Echo Reply
Jan 8, 2025 09:01:58.009397030 CET	192.168.2.4	154.82.113.139	44b2	Echo
Jan 8, 2025 09:01:58.314265966 CET	154.82.113.139	192.168.2.4	4cb2	Echo Reply
Jan 8, 2025 09:01:59.326615095 CET	192.168.2.4	154.82.113.139	348	Echo
Jan 8, 2025 09:01:59.631457090 CET	154.82.113.139	192.168.2.4	b48	Echo Reply
Jan 8, 2025 09:02:00.638556004 CET	192.168.2.4	154.82.113.139	7c5c	Echo
Jan 8, 2025 09:02:00.943419933 CET	154.82.113.139	192.168.2.4	845c	Echo Reply
Jan 8, 2025 09:02:02.009247065 CET	192.168.2.4	154.82.113.139	862a	Echo
Jan 8, 2025 09:02:02.314372063 CET	154.82.113.139	192.168.2.4	8e2a	Echo Reply
Jan 8, 2025 09:02:04.452738047 CET	192.168.2.4	154.82.113.139	e67c	Echo
Jan 8, 2025 09:02:04.757759094 CET	154.82.113.139	192.168.2.4	ee7c	Echo Reply
Jan 8, 2025 09:02:05.763210058 CET	192.168.2.4	154.82.113.139	2182	Echo
Jan 8, 2025 09:02:06.068053007 CET	154.82.113.139	192.168.2.4	2982	Echo Reply

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 08:57:58.714531898 CET	1.1.1.1	192.168.2.4	0xdb6c	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 8, 2025 08:57:58.714531898 CET	1.1.1.1	192.168.2.4	0xdb6c	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	02:57:56
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\e-SPT Masa PPh.exe"
Imagebase:	0xab0000
File size:	29'409'880 bytes
MD5 hash:	097C653DDF86F75924A7192FB612B889
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:57:59
Start date:	08/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff611170000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	02:57:59
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding E68703343D1710A5BD8674B125AC70C2 C
Imagebase:	0x380000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:58:06
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\e-SPT Masa PPh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\e-SPT Masa PPh.exe" /i "C:\Program Files (x86)\WindowsInstallerIC\7AF5081\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\IkCWSTWLLRQX" SECONDSEQUENCE="1" CLIENTPROCESSID="7304" AI_MORE_CMD_LINE=1
Imagebase:	0xab0000
File size:	29'409'880 bytes
MD5 hash:	097C653DDF86F75924A7192FB612B889
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:58:13
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 129C99B55643455FEF40AE203A6AF1CF
Imagebase:	0x380000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:58:27
Start date:	08/01/2025
Path:	C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe"
Imagebase:	0xd60000
File size:	175'328 bytes
MD5 hash:	BE4ED0D3AA0B2573927A046620106B13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:58:28
Start date:	08/01/2025
Path:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\LJBPHRBSRLCI.FNG" -o"C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32" -pIWLHTVJXHINUWUFBWIU -aos -y
Imagebase:	0xc70000
File size:	710'888 bytes
MD5 hash:	FAE7D0A530279838C8A5731B086A081B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000003.1984404151.0000000002C66000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:58:28
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:58:32
Start date:	08/01/2025
Path:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\KKVIOQVTEUTA.OKO" -o"C:\Program Files (x86)\IkCWSTWLLRQX" -pRFOLHRLVLKWUMQMLJJA -aos -y
Imagebase:	0xc70000
File size:	710'888 bytes
MD5 hash:	FAE7D0A530279838C8A5731B086A081B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:58:32
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:58:33
Start date:	08/01/2025
Path:	C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\FNCUNPTNLBMW.DNA" -o"C:\Users\user\AppData\Roaming" -pAEXIKRSDXTBGHJSHHPK -aos -y
Imagebase:	0xc70000
File size:	710'888 bytes
MD5 hash:	FAE7D0A530279838C8A5731B086A081B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:58:33
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:58:35
Start date:	08/01/2025
Path:	C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe"
Imagebase:	0x400000
File size:	691'760 bytes
MD5 hash:	938C33C54819D6CE8D731B68D9C37E38
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000F.00000000.2042743585.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:58:35
Start date:	08/01/2025
Path:	C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe"
Imagebase:	0x400000
File size:	691'760 bytes
MD5 hash:	938C33C54819D6CE8D731B68D9C37E38
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000012.00000002.2093700829.0000000002EDC000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	02:58:39
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\CF02434F5D714D7A94B9C30D91870E32\VGX\Haloonoroff.exe"
Imagebase:	0xd20000
File size:	174'304 bytes
MD5 hash:	0D318144BD23BA1A72CC06FE19CB3F0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	66

Executed Functions

Function 00C04A60 Relevance: 51.6, APIs: 11, Strings: 18, Instructions: 819libraryloaderCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?,SystemFolder,0000000C), ref: 00C04CA0
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00C04D8A
GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D), ref: 00C04EAF

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D), ref: 00C04FB6

Part of subcall function 00ABA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00AD5436,00000000,*.*,?,?,?,?), ref: 00ABA863

GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D), ref: 00C050F1
SHGetSpecialFolderLocation.SHELL32(00000000,?,WindowsVolume,0000000D), ref: 00C051D2
LoadLibraryW.KERNEL32(shfolder.dll), ref: 00C05262
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00C052A2

Part of subcall function 00BF8C90: LoadLibraryW.KERNEL32(Shlwapi.dll,-00000001,00000000,?,?,?,?,?,?,?,?,00C0537B,?), ref: 00BF8CAF
Part of subcall function 00BF8C90: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00BF8CC5
Part of subcall function 00BF8C90: FreeLibrary.KERNEL32(00000000), ref: 00BF8D08

GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104), ref: 00C054C0
SHGetPathFromIDListW.SHELL32(?,?), ref: 00C05539
SHGetMalloc.SHELL32(00000000), ref: 00C05552

Strings

< , xrefs: 00C0514C
ProgramW6432, xrefs: 00C04AF4
SHGetFolderPathW, xrefs: 00C0529C
WindowsFolder, xrefs: 00C04E23, 00C04E38, 00C04E42
AppDataFolder, xrefs: 00C05427, 00C05465
WindowsVolume, xrefs: 00C04F2F, 00C04F44, 00C04F4E
ProgramFilesFolder, xrefs: 00C053E1
shfolder.dll, xrefs: 00C0525D
Shell32.dll, xrefs: 00C0539D
SystemFolder, xrefs: 00C04C01, 00C04C16, 00C04C20
SETUPEXEDIR, xrefs: 00C0509E
APPDATA, xrefs: 00C054B7, 00C054BF
ProgramFiles, xrefs: 00C05415
System32Folder, xrefs: 00C04CFE, 00C04D13, 00C04D1D
PROGRAMFILES, xrefs: 00C0549D
TempFolder, xrefs: 00C04FE2
ProgramFiles64Folder, xrefs: 00C04A98
Shlwapi.dll, xrefs: 00C05371

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: DirectoryLibrary$AddressFolderLoadPathProcWindows$EnvironmentFileFindFreeFromHeapListLocationMallocModuleNameProcessResourceSpecialSystemVariable
String ID: < $APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$shfolder.dll
API String ID: 2967964373-963610336
Opcode ID: b1a63cc439838d23686261e98bf5da620144cc806c4849d4a5ec57bd0909d630
Instruction ID: c6a26455a93f4f322b7b37a2b2581620507f22904ab93c076c51af062d159d08
Opcode Fuzzy Hash: b1a63cc439838d23686261e98bf5da620144cc806c4849d4a5ec57bd0909d630
Instruction Fuzzy Hash: 7A62F274A006198BDB14EF24CC55BAFB3B2EF94314F5406A8D526973E1EB329E85CF90

Function 6C5EB500 Relevance: 45.4, APIs: 6, Strings: 19, Instructions: 1658COMMON

Download Yara Rule

APIs

#47.MSI(?,AiEmbeddedDirectCall,6C66E00C,00000000), ref: 6C5EBB32
#47.MSI(?,AiEmbeddedDirectCall,6C66E00C,00000000), ref: 6C5EC042
#47.MSI(?,AiEmbeddedDirectCall,6C66E00C,00000000), ref: 6C5EBD92

Part of subcall function 6C5E63E0: #171.MSI(00000000,?,6C66E00C,?), ref: 6C5E6416
Part of subcall function 6C5E63E0: #171.MSI(00000000,?,00000000,?,?,055FEE68), ref: 6C5E6456

#47.MSI(?,AiEmbeddedDirectCall,6C66E00C,00000000,?,?,055FEE68), ref: 6C5EC4C2
#47.MSI(?,AiEmbeddedDirectCall,6C66E00C,00000000,?,055FEE68), ref: 6C5EC831
#47.MSI(?,AiEmbeddedDirectCall,6C66E00C,00000000), ref: 6C5EC214

Part of subcall function 6C5E1330: #17.MSI(00000002,?,00000000,?,00000000), ref: 6C5E13F3
Part of subcall function 6C5E1330: #125.MSI(00000000,00000000,[1],?,00000000), ref: 6C5E140A
Part of subcall function 6C5E1330: #125.MSI(00000000,00000001,00000000,?,00000000), ref: 6C5E1417
Part of subcall function 6C5E1330: #103.MSI(?,04000000,00000000,?,00000000), ref: 6C5E1429
Part of subcall function 6C5E1330: #8.MSI(00000000,?,00000000), ref: 6C5E1438

Part of subcall function 6C5E1FD0: GetProcessHeap.KERNEL32 ref: 6C5E202C

Strings

-> , xrefs: 6C5EBAAD
LIMITUI, xrefs: 6C5EB540
Action ended, xrefs: 6C5EC0EF
Track screen: [, xrefs: 6C5EC7A9
LogonUser, xrefs: 6C5EB5EB
4il, xrefs: 6C5EB8FD
AiEmbeddedDirectCall, xrefs: 6C5EBB2C, 6C5EBD8C, 6C5EC03C, 6C5EC20E, 6C5EC4BC, 6C5EC82B
fatal error, xrefs: 6C5EB93C
Warning: , xrefs: 6C5EBD1C
Lifecycle: , xrefs: 6C5EBA92
user abort, xrefs: 6C5EB8E9, 6C5EB951
success, xrefs: 6C5EB889
Exception >> , xrefs: 6C5EC439
Error: , xrefs: 6C5EBFB3
W, xrefs: 6C5EC658
Crash >> , xrefs: 6C5EC18B
xxgl, xrefs: 6C5EB61D
end, xrefs: 6C5EB997, 6C5EBA9E
Info 1720, xrefs: 6C5EC3DD

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: #125#171$#103HeapProcess
String ID: -> $4il$Action ended$AiEmbeddedDirectCall$Crash >> $Error: $Exception >> $Info 1720$LIMITUI$Lifecycle: $LogonUser$Track screen: [$W$Warning: $end$fatal error$success$user abort$xxgl
API String ID: 3629383927-2025538812
Opcode ID: aecb52038082494c85498b30d0b9362d1630221d72cf016e3ccfc362e4074db3
Instruction ID: 5bd97f9ec08e3c6c8a97802f9da43ea217c644bb6b2c7703ded1c78bea0c62ac
Opcode Fuzzy Hash: aecb52038082494c85498b30d0b9362d1630221d72cf016e3ccfc362e4074db3
Instruction Fuzzy Hash: 57E2F570E01248DBDF05DFA9C9547AEBBB2BF89318F14814DE811AB780DB74AE05CB95

Function 00C08AE0 Relevance: 41.6, APIs: 15, Strings: 8, Instructions: 1352libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

LoadLibraryExW.KERNEL32(00000000,00000000,00000001,00D2D266,00000000,00000000,00D2D266,00000000,?,?,00D2D266,000000FF), ref: 00C08C70

Strings

Command line to pass to MSI:, xrefs: 00C0938B
" ====, xrefs: 00C08D6E
Full command line:, xrefs: 00C092D8
< , xrefs: 00C09192
====== Starting logging of ", xrefs: 00C08D2A, 00C08D3C, 00C08D46
< , xrefs: 00C0912F
, , xrefs: 00C08DB4
Advinst_, xrefs: 00C09665, 00C09677, 00C09681

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: HeapLibraryLoadProcess
String ID: ====== Starting logging of "$" ====$, $< $< $Advinst_$Command line to pass to MSI:$Full command line:
API String ID: 3872204244-621877755
Opcode ID: 24895a657f33ca0c341c746de87396539afd62b4259a5dfedf02c4b74fe4528b
Instruction ID: f73a729e49a3efbe0c3a4d6588a9c668b696f8f3abbcbd7403938611dfb9b8ec
Opcode Fuzzy Hash: 24895a657f33ca0c341c746de87396539afd62b4259a5dfedf02c4b74fe4528b
Instruction Fuzzy Hash: 9DB2E431A002188FDB04DFA8C8557AEB7B5FF49314F14426DE926AB3D2DB749E05DBA0

Function 00C332B0 Relevance: 30.2, APIs: 14, Strings: 3, Instructions: 493
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C3332B
GetLastError.KERNEL32 ref: 00C33335
GetUserNameW.ADVAPI32(?,?), ref: 00C3337D
GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00C333B7
GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,-00000001,00000000), ref: 00C33402
RegDeleteValueW.KERNEL32(?,?,00000000,80000001,00000001,00000000,2E261FC3), ref: 00C335B8
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,2E261FC3), ref: 00C335E8
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,2E261FC3,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C3372D
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 00C3376F
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 00C337B8
RegDeleteKeyW.ADVAPI32(?,00000000), ref: 00C337DE
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 00C3381A
RegDeleteValueW.KERNEL32(?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 00C33912
RegCloseKey.ADVAPI32(?,?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 00C33954

Strings

Software, xrefs: 00C33608
UserDomain, xrefs: 00C333B2, 00C333FD
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00C33833

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Close$Delete$EnvironmentNameUserValueVariable$ErrorInfoLastQuery
String ID: Software$Software\Microsoft\Windows\CurrentVersion\RunOnce$UserDomain
API String ID: 1615433478-4079418357
Opcode ID: 9d7bc9c2258ca6c1afadf4b823594ca17a5361b83021144d314b934664ad6bd5
Instruction ID: 8d173ee80bde544eac6cb430aacef1fb9a1520924c103a7b33fc56f7759b6e89
Opcode Fuzzy Hash: 9d7bc9c2258ca6c1afadf4b823594ca17a5361b83021144d314b934664ad6bd5
Instruction Fuzzy Hash: 3C228A70D10248DFEB14DFA4C999BEEBBB4EF14304F248159E415B7291DB74AB88CBA1

Function 00AD4AD0 Relevance: 20.0, APIs: 8, Strings: 3, Instructions: 725fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000), ref: 00AD4C1F
PathIsUNCW.SHLWAPI(00000000,*.*,00000000), ref: 00AD4CE6
FindFirstFileW.KERNEL32(00000000,?,*.*,00000000), ref: 00AD4E79
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AD4E93
GetFullPathNameW.KERNEL32(00000000,00000000,?,00000000), ref: 00AD4ED0
FindClose.KERNEL32(00000000), ref: 00AD4F34
SetLastError.KERNEL32(0000007B), ref: 00AD4F3E
PathIsUNCW.SHLWAPI(?,?,2E261FC3,*.*,?), ref: 00AD51A4

Strings

\\?\, xrefs: 00AD4DF7, 00AD4E63, 00AD52BE, 00AD5329
\\?\UNC\, xrefs: 00AD4D06, 00AD4DE1, 00AD51C6, 00AD52A5
*.*, xrefs: 00AD4C48, 00AD4CB3, 00AD4CB4, 00AD50C6

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Path$Find$CloseFullName$ErrorFileFirstLast
String ID: *.*$\\?\$\\?\UNC\
API String ID: 2310598285-1700010636
Opcode ID: df16846a57ba1703aa38778c07dc799e57ebff6aa38101f28d654d4e2cf39d91
Instruction ID: 17bd742efda0116e31cffbe45f5ec46cf5873b6bafa4355e28f860c373db7862
Opcode Fuzzy Hash: df16846a57ba1703aa38778c07dc799e57ebff6aa38101f28d654d4e2cf39d91
Instruction Fuzzy Hash: 94422530A00605DFCB14DF68C859BAEB7B5FF58324F14416AE816EB3A1DB72AD04CB90

Function 6C5FF260 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 431
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindClose.KERNEL32(00000000), ref: 6C5FF2C2
PathIsUNCW.SHLWAPI(?,*.*), ref: 6C5FF382
FindFirstFileW.KERNEL32(?,00000001,*.*), ref: 6C5FF578
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 6C5FF592
GetFullPathNameW.KERNEL32(?,00000000,?,00000000), ref: 6C5FF5CF
FindClose.KERNEL32(00000000), ref: 6C5FF633
SetLastError.KERNEL32(0000007B), ref: 6C5FF63D

Strings

*.*, xrefs: 6C5FF2EA, 6C5FF324, 6C5FF34F, 6C5FF350
\\?\, xrefs: 6C5FF4F5, 6C5FF563
\\?\UNC\, xrefs: 6C5FF3A2, 6C5FF4DC

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: FindPath$CloseFullName$ErrorFileFirstLast
String ID: *.*$\\?\$\\?\UNC\
API String ID: 539638818-1700010636
Opcode ID: 95803b34eb6aa82b3d6df64300dff92c31dd8f624acbee052594da48552e613d
Instruction ID: af7f45602227f1a8f9957fb66682deb85e04176e1673adf8152f96dca12e6fd1
Opcode Fuzzy Hash: 95803b34eb6aa82b3d6df64300dff92c31dd8f624acbee052594da48552e613d
Instruction Fuzzy Hash: DDF19030A01505CBDB09DF64CC88BAEB7F1FF45328F144668E925ABB91DB35A906CF94

Function 00BEA0A0 Relevance: 16.6, APIs: 11, Instructions: 119
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00BEA0F2
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00BEA0FF
GetLastError.KERNEL32 ref: 00BEA109
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00BEA12D
GetLastError.KERNEL32 ref: 00BEA137
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000), ref: 00BEA15D
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00BEA194
EqualSid.ADVAPI32(00000000,?), ref: 00BEA1A3
FreeSid.ADVAPI32(?), ref: 00BEA1B2
CloseHandle.KERNEL32(00000000), ref: 00BEA1EC

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Token$ErrorInformationLastProcess$AllocateCloseCurrentEqualFreeHandleInitializeOpen
String ID:
API String ID: 695978879-0
Opcode ID: 845b3e2c24fe1bdf2ecd71e0eda21dedf3d8460e2a596d841382e797ea00bf08
Instruction ID: 282845d025fbda194cc2d07db48cfcb4435ed74950c00133b5c50f0df90b98f9
Opcode Fuzzy Hash: 845b3e2c24fe1bdf2ecd71e0eda21dedf3d8460e2a596d841382e797ea00bf08
Instruction Fuzzy Hash: 29414471900259EFDF109FA2DC58BEEBBB8FF09714F104059E411B3290D77A6A08DBA2

Function 6C5F12D0 Relevance: 10.5, Strings: 8, Instructions: 467COMMON

Download Yara Rule

Strings

Session ID, xrefs: 6C5F152D
Application Version, xrefs: 6C5F1455
.session, xrefs: 6C5F15A6
Current Session, xrefs: 6C5F1863
Hit , xrefs: 6C5F1675
Protocol Version, xrefs: 6C5F1378
Application ID, xrefs: 6C5F13E9
Client ID, xrefs: 6C5F14C1

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID: .session$Application ID$Application Version$Client ID$Current Session$Hit $Protocol Version$Session ID
API String ID: 0-1058237813
Opcode ID: 2a1c92647a6cc63e0e0fb4d922ff1a3cbf51b90a9e1220e29997eb9f3b160879
Instruction ID: 697a378863e15a1d0d97d8ac4afcfdd3782a2d024294b303bb037bbca8fafcb4
Opcode Fuzzy Hash: 2a1c92647a6cc63e0e0fb4d922ff1a3cbf51b90a9e1220e29997eb9f3b160879
Instruction Fuzzy Hash: 3412BD71C00298DBDB28CF64CD54BEEB7B4AF45308F108699D45677A81DB70AE89CFA1

Function 00BF6710 Relevance: 7.8, APIs: 5, Instructions: 328memoryCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,?,?,00000100), ref: 00BF6813
LoadStringW.USER32(?,?,?,00000001), ref: 00BF6933
CLSIDFromString.COMBASE(00000000,?), ref: 00BF6ABA
SysFreeString.OLEAUT32(00000000), ref: 00BF6ACE
SysAllocStringLen.OLEAUT32(?,?), ref: 00BF6AF5

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: String$Load$AllocFreeFrom
String ID:
API String ID: 687443712-0
Opcode ID: 380ceec134a7419dea9f1247d0e25b15a36fb7f4f10fb1a3c334f35391b440a6
Instruction ID: a9fbed288a241f1876e2c39958172f6622e8d582acb8f12cdda83bcde3d50720
Opcode Fuzzy Hash: 380ceec134a7419dea9f1247d0e25b15a36fb7f4f10fb1a3c334f35391b440a6
Instruction Fuzzy Hash: 5FC17C71D0024C9FDB04DFA8C945BEEBBF5FF48304F14822AE915A7281EB746A49CB90

Function 00C25A70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C25B4A

Strings

\, xrefs: 00C25ACC
\, xrefs: 00C25AC4
\, xrefs: 00C25AEE

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: DiskFreeSpace
String ID: \$\$\
API String ID: 1705453755-3791832595
Opcode ID: 92ffcc257b20b435948b3fcd50f4bfa526bbc4016dc9b1b80eb14f6d523b72c6
Instruction ID: f77e8337d148f4f1df38447144c5ccf1bdf3e04692dfb8bb76ee262b9da55148
Opcode Fuzzy Hash: 92ffcc257b20b435948b3fcd50f4bfa526bbc4016dc9b1b80eb14f6d523b72c6
Instruction Fuzzy Hash: 7341B362E10725CBCB309F24A445ABBB3E5FF95354F154A2EE8E897940F7708E8583C6

Function 00ADF580 Relevance: 6.8, Strings: 5, Instructions: 569COMMON

Download Yara Rule

Strings

MultipleInstancesProps, xrefs: 00ADF6B0, 00ADFB1E
PropertyValue, xrefs: 00ADFC28
MultipleInstances, xrefs: 00ADF5E6
AI_EXIST_NEW_INSTANCES, xrefs: 00ADF969
AI_EXIST_INSTANCES, xrefs: 00ADF803

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID: AI_EXIST_INSTANCES$AI_EXIST_NEW_INSTANCES$MultipleInstances$MultipleInstancesProps$PropertyValue
API String ID: 0-2308371840
Opcode ID: 75a3cb4e66137d5e90680bc443881a26676ea5a16fb1d8a44dc026836aa31e22
Instruction ID: b452c7e68a342f10d8c933f9d49a69f0cb7b170c33fbe3556bc94032b91d3014
Opcode Fuzzy Hash: 75a3cb4e66137d5e90680bc443881a26676ea5a16fb1d8a44dc026836aa31e22
Instruction Fuzzy Hash: 6D32D270E00248DFDF04DFA4C999BEEBBB5BF49314F24815AE406A7391DB746A84CB91

Function 00C19F30 Relevance: 6.6, APIs: 4, Instructions: 644fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

FindFirstFileW.KERNEL32(?,?,00000000,00000000,?,?), ref: 00C1A36F
FindClose.KERNEL32(00000000), ref: 00C1A3B3
CloseHandle.KERNEL32(?,?), ref: 00C1A6B1

Part of subcall function 00C3B160: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,2E261FC3,?,?,?,?,?,?,00D17F3D), ref: 00C3B1C4

CloseHandle.KERNEL32(?,?), ref: 00C1A87B

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Close$FileFindHandle$CreateFirstHeapProcess
String ID:
API String ID: 1937692618-0
Opcode ID: b5d75c03bd4ab3c8af32a2cedb187542e566508039502c821c164478a9750543
Instruction ID: c4d7ab643527ee352a1d1eb25fd09660ec2c84480ad92ca47858aa1069a868e3
Opcode Fuzzy Hash: b5d75c03bd4ab3c8af32a2cedb187542e566508039502c821c164478a9750543
Instruction Fuzzy Hash: D4527A30D01A58CFDB14CB68CD587AEBBB0AF4A315F1482D9E419A7392DB70AE85DF41

Function 6C604E20 Relevance: 6.1, APIs: 4, Instructions: 83fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000001,00000001,?,B01345AF,00000001), ref: 6C604EB8
FindClose.KERNEL32(00000000), ref: 6C604EF0

Part of subcall function 6C5E1C40: RtlAllocateHeap.NTDLL(00000000,00000000,80004005,B01345AF,00000000,6C62C7D0,000000FF,?,?,6C69046C,80004005,?,6C60586B,80004005,?,6C6423A7), ref: 6C5E1C8A

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID:
API String ID: 1673784098-0
Opcode ID: d7a60e7d9ebdcb0442a6204a92f96dc4f5d801226e1857f70953dfea9518264b
Instruction ID: 30be0ddf64f504227e680f98339a746c8a3d93e27c9cf595a78f03a08ab7288e
Opcode Fuzzy Hash: d7a60e7d9ebdcb0442a6204a92f96dc4f5d801226e1857f70953dfea9518264b
Instruction Fuzzy Hash: 61310470A09214DADF38DF64CA497A9B7B4EF45328F10839DE525B3AC0D7B04944CB89

Function 00CBC189 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,00C1C8C1,?,?,?), ref: 00CBC18E
HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00CBC195
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?), ref: 00CBC1DB
HeapFree.KERNEL32(00000000,?,?,?), ref: 00CBC1E2

Part of subcall function 00CBC027: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00CBC1D1,?,?,?,?), ref: 00CBC04B
Part of subcall function 00CBC027: HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 00CBC052

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: 81518a9422f4e6980dcd0ffc33b278418c3818df7517e3e2161d1bad111bcf10
Instruction ID: 08aa25fdd8b5bd6b27f8aef34e870023bbfc5dbd9a9355d378257cf13d4ac3dd
Opcode Fuzzy Hash: 81518a9422f4e6980dcd0ffc33b278418c3818df7517e3e2161d1bad111bcf10
Instruction Fuzzy Hash: 7DF0243724471287DB302FBD7C2D99F7A24AFC1B61F114028F446E6245CE20C8019B70

Function 00BA82D0 Relevance: 4.7, APIs: 3, Instructions: 234libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00BA8312
GetSysColor.USER32(00000011), ref: 00BA8644

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

Part of subcall function 00ABA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00AD5436,00000000,*.*,?,?,?,?), ref: 00ABA863

LoadLibraryExW.KERNEL32(?,00000000,00000000,00D1D9BD,000000FF), ref: 00BA83E9

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ColorDirectoryFindHeapLibraryLoadProcessResourceSystem
String ID:
API String ID: 346497123-0
Opcode ID: bea46f6c3aa8c21ee1e7bbf2bbd1cae14bbcdc8f875e1e13d5964cdb035b611d
Instruction ID: 9541ead6e96ca97f0ab675296bda719a0c592bd428c8d5e690b5849d6a835024
Opcode Fuzzy Hash: bea46f6c3aa8c21ee1e7bbf2bbd1cae14bbcdc8f875e1e13d5964cdb035b611d
Instruction Fuzzy Hash: F5A17CB0504645EFEB14CF64C858B9ABBF4FF05318F14825DE4199B781DBBAA618CF90

Function 00BEE4E0 Relevance: 4.6, APIs: 3, Instructions: 92fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 00BEE57F
FindClose.KERNEL32(00000000), ref: 00BEE5DE

Part of subcall function 00ABB010: RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID:
API String ID: 1673784098-0
Opcode ID: f837f7329e04f94e0f0a26a0c26db22a705cc03ec52808eb3ce796bb69d3a797
Instruction ID: 95864ffc8c8d52e7f03719dfd91d7868c591ed3d2207e12b88bd7c9fc1391c88
Opcode Fuzzy Hash: f837f7329e04f94e0f0a26a0c26db22a705cc03ec52808eb3ce796bb69d3a797
Instruction Fuzzy Hash: D731D0749002589FDB34DF16C889BAAB7F4EF54318F20819AE92AA7390E7319D44CF91

Function 00C4D2B0 Relevance: 3.1, Strings: 2, Instructions: 604COMMON

Download Yara Rule

Strings

{Binary Data}, xrefs: 00C4D602
Name, xrefs: 00C4D6CD

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID: Name${Binary Data}
API String ID: 0-874704490
Opcode ID: e41f7f365904630f4324cedfe615a2c369d33b6d389081834678a4d172b2ef50
Instruction ID: 53d42273a148458d696780bf62431ab78b0822185d84c78e9680be92dfeda45b
Opcode Fuzzy Hash: e41f7f365904630f4324cedfe615a2c369d33b6d389081834678a4d172b2ef50
Instruction Fuzzy Hash: 5D427870D00259DFDB24DF68C985BEDB7B5BF48300F1485A9E41AA7291EB74AE84CF60

Function 00C34930 Relevance: 3.1, APIs: 2, Instructions: 92filepipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,00000000,2E261FC3,?,?,00000000), ref: 00C349BB
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,00000000,2E261FC3,?,?,00000000), ref: 00C349E1

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Create$FileNamedPipe
String ID:
API String ID: 1328467360-0
Opcode ID: f20dfcf92ef7938b6eb2712598d9a715705bf0bf57e5106830af707552677928
Instruction ID: 6577d73c3059498e8f1d229b3ad2e2ccadf7c0901e24bc1e179f11dac31cc396
Opcode Fuzzy Hash: f20dfcf92ef7938b6eb2712598d9a715705bf0bf57e5106830af707552677928
Instruction Fuzzy Hash: 81310235A84706AFD724CF24DC01BAAFBA5EB05720F10862AF566A73D0CB75A900CB54

Function 00AF22F0 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 00AF2308
SetUnhandledExceptionFilter.KERNEL32(00BED330), ref: 00AF231E

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: 93b283bb7f826a2a978c9fddfd5bfe3a582d4119eb612afaac7fbc4564159118
Instruction ID: c0a1e6760f6e86fb2d671947c0fb0ef17a0726bff7fcbda6b7f2688c4f08ccdb
Opcode Fuzzy Hash: 93b283bb7f826a2a978c9fddfd5bfe3a582d4119eb612afaac7fbc4564159118
Instruction Fuzzy Hash: BCE0D876A04340AFCA106B769C0DF8A7F54AB96B11F044065F141A32B1CB715849C772

Function 6C5DF8D0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 6C5DF937

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AdaptersInfo
String ID:
API String ID: 3177971545-0
Opcode ID: fef581933c4cb10edd1717c007d952773629381433c75bf752dffc5506a99b4e
Instruction ID: 0aafc44f9e267f1ce6ef5af1da25ea171eca7a1187652d2fa78f7127c0628169
Opcode Fuzzy Hash: fef581933c4cb10edd1717c007d952773629381433c75bf752dffc5506a99b4e
Instruction Fuzzy Hash: 2C11D075A05211BED308CB6CCC9886EB7A9FF85318F9AC72AE00597A00EF20BC018794

Function 00C406B0 Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(00D74548,00000000,00000001,00D923D0,000000B0), ref: 00C40737

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 6f77da52a05b0c567155ad06b2b40117f21a32ce131e259d90dc3c7c297cb50c
Instruction ID: f082c4ca44f640882c9716cf183917ee0b7670b67f4aede53200256d0b26ad78
Opcode Fuzzy Hash: 6f77da52a05b0c567155ad06b2b40117f21a32ce131e259d90dc3c7c297cb50c
Instruction Fuzzy Hash: 4D118EB5644708BFEB20CF49DC45B6ABBF8FB05720F10425AE4249B7D0D7B66904CBA1

Function 00C3BBB0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CreateHeapInstanceProcess
String ID:
API String ID: 776714826-0
Opcode ID: 903d09d6c349e43d50c7c7ce97f2d1bcd61de3d5069043f223cda6b2677e0861
Instruction ID: e99eead1afe4871269ae9b96697120a4633edd7227553788f4ed6a8de920ef06
Opcode Fuzzy Hash: 903d09d6c349e43d50c7c7ce97f2d1bcd61de3d5069043f223cda6b2677e0861
Instruction Fuzzy Hash: C1716A70A00749AFDB04CF68C49879ABBE0BF09308F54856DD5199B782DBB5AA19CFD0

Function 00BD3670 Relevance: 114.1, APIs: 8, Strings: 57, Instructions: 355
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

GetModuleFileNameW.KERNEL32(00000000,?,00000104,2E261FC3,00000000,?,?,?,000000FF), ref: 00BD37A5
GetModuleHandleW.KERNEL32(kernel32,.local,?,?,?,?,000000FF), ref: 00BD384C
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00BD388B
SetSearchPathMode.KERNEL32 ref: 00BD38BE
GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 00BD38ED
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00BD394F
SetDefaultDllDirectories.KERNELBASE ref: 00BD3982

Part of subcall function 00BA82D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00BA8312

Part of subcall function 00ABB010: RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

FreeLibrary.KERNEL32(?,2E261FC3,00000000,00CE39F0,000000FF,?,000000E1,80004005,?,?,000000FF), ref: 00BD3BF4

Part of subcall function 00BD92F0: EnterCriticalSection.KERNEL32(00E01F9C,2E261FC3), ref: 00BD932F
Part of subcall function 00BD92F0: DestroyWindow.USER32(00000000), ref: 00BD934D
Part of subcall function 00BD92F0: LeaveCriticalSection.KERNEL32(00E01F9C), ref: 00BD9396

Strings

userenv.dll, xrefs: 00BD39D4
usp10.dll, xrefs: 00BD3ACB
lpk.dll, xrefs: 00BD3AB7
msls31.dll, xrefs: 00BD39AA
netutils.dll, xrefs: 00BD3B1B
urlmon.dll, xrefs: 00BD3A3D
profapi.dll, xrefs: 00BD39C6
shcore.dll, xrefs: 00BD3ADF
ws2_32.dll, xrefs: 00BD3B07
srvcli.dll, xrefs: 00BD3B25
crypt32.dll, xrefs: 00BD3A99
msimg32.dll, xrefs: 00BD3A21
msasn1.dll, xrefs: 00BD3A8F
secur32.dll, xrefs: 00BD3AF3
dbghelp.dll, xrefs: 00BD3A28
wininet.dll, xrefs: 00BD3A36
advapi32.dll, xrefs: 00BD3A05
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00BD36F4
kernel32, xrefs: 00BD3847
propsys.dll, xrefs: 00BD3A71
cryptsp.dll, xrefs: 00BD3AE9
cabinet.dll, xrefs: 00BD3A60
wkscli.dll, xrefs: 00BD3B2F
ole32.dll, xrefs: 00BD39E9
wintrust.dll, xrefs: 00BD3AA3
SetDllDirectory, xrefs: 00BD38E7
kernel32.dll, xrefs: 00BD3A67
comctl32.dll, xrefs: 00BD39F7
gdi32.dll, xrefs: 00BD3A0C
davhlpr.dll, xrefs: 00BD39E2
samcli.dll, xrefs: 00BD3AFD
netapi32.dll, xrefs: 00BD3B11
gdiplus.dll, xrefs: 00BD39CD, 00BD3A59
USP10.dll, xrefs: 00BD39A3
WindowsCodecs.dll, xrefs: 00BD398E
uxtheme.dll, xrefs: 00BD39BF, 00BD3A4B
comdlg32.dll, xrefs: 00BD3A1A
rsaenh.dll, xrefs: 00BD3A7B
msi.dll, xrefs: 00BD399C, 00BD3A52
setupapi.dll, xrefs: 00BD3AC1
shell32.dll, xrefs: 00BD39FE
SetSearchPathMode, xrefs: 00BD3885
SetDefaultDllDirectories, xrefs: 00BD3949
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00BD3717, 00BD371F
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00BD3712
bcrypt.dll, xrefs: 00BD3995
msihnd.dll, xrefs: 00BD3AD5
mpr.dll, xrefs: 00BD39B8, 00BD3A44
apphelp.dll, xrefs: 00BD3A85
psapi.dll, xrefs: 00BD3984
version.dll, xrefs: 00BD39B1, 00BD3A2F
dwmapi.dll, xrefs: 00BD39DB
user32.dll, xrefs: 00BD3A13
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00BD36F9, 00BD3701
oleaut32.dll, xrefs: 00BD39F0
.local, xrefs: 00BD3826
shlwapi.dll, xrefs: 00BD3AAD

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AddressProc$CriticalHeapModuleSection$AllocateDefaultDestroyDirectoriesDirectoryEnterFileFreeHandleLeaveLibraryModeNamePathProcessSearchSystemWindow
String ID: .local$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$USP10.dll$WindowsCodecs.dll$advapi32.dll$apphelp.dll$bcrypt.dll$cabinet.dll$comctl32.dll$comdlg32.dll$crypt32.dll$cryptsp.dll$davhlpr.dll$dbghelp.dll$dwmapi.dll$gdi32.dll$gdiplus.dll$kernel32$kernel32.dll$lpk.dll$mpr.dll$msasn1.dll$msi.dll$msihnd.dll$msimg32.dll$msls31.dll$netapi32.dll$netutils.dll$ole32.dll$oleaut32.dll$profapi.dll$propsys.dll$psapi.dll$rsaenh.dll$samcli.dll$secur32.dll$setupapi.dll$shcore.dll$shell32.dll$shlwapi.dll$srvcli.dll$urlmon.dll$user32.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wininet.dll$wintrust.dll$wkscli.dll$ws2_32.dll
API String ID: 863123761-3786055182
Opcode ID: 51345a8f2fa1d1a77991470bf1da39cc0175797ac16d10e767d262fa5bfc4656
Instruction ID: e4575ef7ee252272be7ddeb2337bad520a9b723be695e251628efac1bd3f293b
Opcode Fuzzy Hash: 51345a8f2fa1d1a77991470bf1da39cc0175797ac16d10e767d262fa5bfc4656
Instruction Fuzzy Hash: 3EE190B45002889FDB20EF58CC49BEE7BF4FB45714F10415AF919AB391E7B45A48CBA2

Function 00BF3DB0 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 223
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 00BF3E2A
RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?,?), ref: 00BF3E5F
RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 00BF3EDE
RegCloseKey.KERNEL32(00000000), ref: 00BF40BE

Strings

CommunicationServer, xrefs: 00BF3F6B
Small Business, xrefs: 00BF3F20
Personal, xrefs: 00BF3FE9
Compute Server, xrefs: 00BF405C
Blade, xrefs: 00BF4000
Enterprise, xrefs: 00BF3F39
WinNT, xrefs: 00BF3E69
Embedded(Restricted), xrefs: 00BF4017
ProductSuite, xrefs: 00BF3ED3
Terminal Server, xrefs: 00BF3F84
Security Appliance, xrefs: 00BF402E
BackOffice, xrefs: 00BF3F52
Small Business(Restricted), xrefs: 00BF3F9D
DataCenter, xrefs: 00BF3FCF
ProductType, xrefs: 00BF3E54
EmbeddedNT, xrefs: 00BF3FB6
ServerNT, xrefs: 00BF3E8C
Storage Server, xrefs: 00BF4045
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 00BF3E20

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: 6f62038c5f19168d1ebfdb76641d1f28810d5e1d4aff54a040444ba53e5b4aa3
Instruction ID: 2a58529c832a5d189aa82a97c695670c25bfe80ae97bc591b98f2ce30d35b57c
Opcode Fuzzy Hash: 6f62038c5f19168d1ebfdb76641d1f28810d5e1d4aff54a040444ba53e5b4aa3
Instruction Fuzzy Hash: 5271813170430C8ADB10AB359C50BBB72E5EB42790F1041F5AB06AB7D1EB35CE8D9B52

Function 6C603BD0 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 223
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,?,?,00000000,6C6446AD,000000FF), ref: 6C603C46
RegQueryValueExW.KERNEL32(?,ProductType,00000000,00000000,?,?,?,00000000,6C6446AD,000000FF), ref: 6C603C72
RegQueryValueExW.KERNEL32(?,ProductSuite,00000000,00000000,?,?,?,00000000,6C6446AD,000000FF), ref: 6C603CE5
RegCloseKey.ADVAPI32(?,?,00000000,6C6446AD,000000FF), ref: 6C603EB8

Strings

EmbeddedNT, xrefs: 6C603DB6
Storage Server, xrefs: 6C603E45
Small Business, xrefs: 6C603D20
ProductType, xrefs: 6C603C6A
Personal, xrefs: 6C603DE9
Compute Server, xrefs: 6C603E5C
Enterprise, xrefs: 6C603D39
ServerNT, xrefs: 6C603C9F
Blade, xrefs: 6C603E00
Security Appliance, xrefs: 6C603E2E
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 6C603C3C
Terminal Server, xrefs: 6C603D84
CommunicationServer, xrefs: 6C603D6B
Small Business(Restricted), xrefs: 6C603D9D
Embedded(Restricted), xrefs: 6C603E17
ProductSuite, xrefs: 6C603CDD
DataCenter, xrefs: 6C603DCF
WinNT, xrefs: 6C603C7C
BackOffice, xrefs: 6C603D52

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: eb539d60bb09cea9cc00e6648b28e17de282339dffea8f9d5e52cd2189463932
Instruction ID: b56c8e9f0d8c38de3eba01741e51804a6c659bd6a6a02934cc983b4a7b004cf5
Opcode Fuzzy Hash: eb539d60bb09cea9cc00e6648b28e17de282339dffea8f9d5e52cd2189463932
Instruction Fuzzy Hash: 3771FB747002449BDB189F65CE40FDF36B5AB46389F144A3ADA06BFA91EB34CD0A875C

Function 00BF3A00 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 227
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00BF3A78
RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00BF3AB9
RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00BF3ADC
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00BF3B0F
RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00BF3B88
RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 00BF3BFF
RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 00BF3C55
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00BF3CF3
GetProcAddress.KERNEL32(00000000), ref: 00BF3CFA
GetCurrentProcess.KERNEL32(?), ref: 00BF3D31
IsWow64Process.KERNEL32 ref: 00BF3D40
RegCloseKey.ADVAPI32(00000000), ref: 00BF3D7A

Strings

kernel32, xrefs: 00BF3CEE
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00BF3A6E
IsWow64Process, xrefs: 00BF3CE9
Pv, xrefs: 00BF3C66
CSDVersion, xrefs: 00BF3C4A
ReleaseId, xrefs: 00BF3BF4
CurrentMinorVersionNumber, xrefs: 00BF3AD1
CurrentBuildNumber, xrefs: 00BF3B7D
CurrentVersion, xrefs: 00BF3B04
CurrentMajorVersionNumber, xrefs: 00BF3AAE

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleModuleOpenProcWow64
String ID: CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$Pv$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32
API String ID: 2654979339-2402317090
Opcode ID: 1b15d364fea608dc50aee8135fac9618d1add4b1cce5e7d7566b9311f197e87c
Instruction ID: 3b826493d6e829e3b403a2bd2bf8823bd666e902e9566afafe2cb7372ad616fa
Opcode Fuzzy Hash: 1b15d364fea608dc50aee8135fac9618d1add4b1cce5e7d7566b9311f197e87c
Instruction Fuzzy Hash: 0DA138B590072C9FDB20DF25DC45BA9B7F6EB44B11F0002E5E609B7290EB766A98CF50

Function 6C603890 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 227
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?,?,?,?,?,?,?,00000000,6C644669,000000FF), ref: 6C603904
RegQueryValueExW.KERNEL32(?,CurrentMajorVersionNumber,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C644669,000000FF), ref: 6C603933
RegQueryValueExW.KERNEL32(?,CurrentMinorVersionNumber,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C644669,000000FF), ref: 6C60394D
RegQueryValueExW.ADVAPI32(?,CurrentVersion,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C644669,000000FF), ref: 6C603977
RegQueryValueExW.KERNEL32(?,CurrentBuildNumber,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C644669,000000FF), ref: 6C6039E4
RegQueryValueExW.KERNEL32(?,ReleaseId,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C644669,000000FF), ref: 6C603A48
RegQueryValueExW.KERNEL32(?,CSDVersion,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C644669,000000FF), ref: 6C603A8B
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,?,?,?,?,00000000,6C644669,000000FF), ref: 6C603B2A
GetProcAddress.KERNEL32(00000000), ref: 6C603B31
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00000000,6C644669,000000FF), ref: 6C603B62
IsWow64Process.KERNEL32(?,?,?,?,?,?,00000000,6C644669,000000FF), ref: 6C603B71
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00000000,6C644669,000000FF), ref: 6C603BA2

Strings

Software\Microsoft\Windows NT\CurrentVersion, xrefs: 6C6038FA
IsWow64Process, xrefs: 6C603B20
CurrentMinorVersionNumber, xrefs: 6C603945
CurrentBuildNumber, xrefs: 6C6039DC
CurrentMajorVersionNumber, xrefs: 6C60392B
ReleaseId, xrefs: 6C603A40
CurrentVersion, xrefs: 6C60396F
CSDVersion, xrefs: 6C603A83
kernel32, xrefs: 6C603B25

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleModuleOpenProcWow64
String ID: CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32
API String ID: 2654979339-3583743485
Opcode ID: 1acbb94f6bd992fd7131c06a176cb45bd4820352f4e34a6162446dcf220280ba
Instruction ID: d6a585bed0521eef44804418a71961d9cb320bdeba199f02a6cf70e84871e5c5
Opcode Fuzzy Hash: 1acbb94f6bd992fd7131c06a176cb45bd4820352f4e34a6162446dcf220280ba
Instruction Fuzzy Hash: A2919FB1A002499FDF24CFA5CD85FEE77B4FB09719F10452AE815B7690E730AA44CB68

Function 00C0BA50 Relevance: 25.7, APIs: 10, Strings: 4, Instructions: 1160threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00C0BC64
SetLastError.KERNEL32(0000000E), ref: 00C0BC81
GetCurrentThreadId.KERNEL32 ref: 00C0BC99
EnterCriticalSection.KERNEL32(00E072EC), ref: 00C0BCB6
LeaveCriticalSection.KERNEL32(00E072EC), ref: 00C0BCD9
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000010), ref: 00C0BEE6
SetEvent.KERNEL32(?,?,00000000,?,00000001,?,?), ref: 00C0C173

Part of subcall function 00C34A40: CloseHandle.KERNEL32(?,2E261FC3,?,00000010,?,00000000,00D35363,000000FF,?,00C103F2,00000000,00000000,00000000,00000001,?,0000000D), ref: 00C34A7A

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00C0BF1A

Part of subcall function 00ABA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00AD5436,00000000,*.*,?,?,?,?), ref: 00ABA863

Part of subcall function 00BD5250: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,00000000,?,00E02000,00C280E8,?), ref: 00BD5268
Part of subcall function 00BD5250: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 00BD529A

DialogBoxParamW.USER32(000007D0,00000000,00B362D0,00000000), ref: 00C0BCF6

Part of subcall function 00ABB010: RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

Strings

r, xrefs: 00C0BCA2
Advinst_Extract_, xrefs: 00C0BE7D, 00C0BE92, 00C0BE9C
FILES.7z, xrefs: 00C0C46F
Code returned to Windows by setup:, xrefs: 00C0C9A7

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ByteCharMultiWide$CriticalHeapSection$ActiveAllocateCloseCurrentDialogEnterErrorEventFindHandleLastLeaveParamProcessResourceThreadWindow
String ID: Advinst_Extract_$Code returned to Windows by setup:$FILES.7z$r
API String ID: 1122345507-179172896
Opcode ID: 1aa424336c46521d98581b74ca99342799519fcdf540d9d94992d7fb63ff90c3
Instruction ID: c8c5b3bd21d912d7854d730fef37708174661e0ec62158d1f2b56e2d3b9aec15
Opcode Fuzzy Hash: 1aa424336c46521d98581b74ca99342799519fcdf540d9d94992d7fb63ff90c3
Instruction Fuzzy Hash: 73A2AB309002488FDB14DFA8CC99BEEBBB5AF49310F148299E515A73D2DB74AE45CF90

Function 00C0BE00 Relevance: 24.9, APIs: 3, Strings: 11, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000010), ref: 00C0BEE6
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00C0BF1A

Part of subcall function 00ABA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00AD5436,00000000,*.*,?,?,?,?), ref: 00ABA863

Strings

Language selected programatically for UI:, xrefs: 00C0CED7
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00C0CD84
Language used for UI:, xrefs: 00C0CF6E
A valid language was received from commnad line. This is:, xrefs: 00C0CBAD
Language of a related product is:, xrefs: 00C0CE00
Software\Caphyon\Advanced Installer\, xrefs: 00C0CD70
%hu, xrefs: 00C0CBE7
AI_BOOTSTRAPPERLANGS, xrefs: 00C0D91F, 00C0D931, 00C0D93B
Advinst_Extract_, xrefs: 00C0BE7D, 00C0BE92, 00C0BE9C
Code returned to Windows by setup:, xrefs: 00C0C9A7
Languages of setup:, xrefs: 00C0DBFA

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ByteCharMultiWide$FindHeapProcessResource
String ID: %hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\
API String ID: 2083075878-297406034
Opcode ID: bf749e83395d3b00f81ca52c4211fc594210feef55ac2f3c82af3eeb0424aa5e
Instruction ID: d14e1c6820b2c33225c75ebc966296bb034530de30c9f51d3ce876a959ea579d
Opcode Fuzzy Hash: bf749e83395d3b00f81ca52c4211fc594210feef55ac2f3c82af3eeb0424aa5e
Instruction Fuzzy Hash: 0AE1CD319006589FDB15DF68CC55BAEBBB5EF49320F144299E929A73D2DB30AE01CF90

Function 00C34330 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 371
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

SetWindowTextW.USER32(00000000,?), ref: 00C345A6
GetDlgItem.USER32(00000000,000007D1), ref: 00C345BD
SendMessageW.USER32(00000000,000000D2,00000000,00000000), ref: 00C345CF
SetFocus.USER32(00000000), ref: 00C345DA
GetDlgItem.USER32(00000000,000007D1), ref: 00C34618
GetDlgItem.USER32(00000000,0000042D), ref: 00C34628
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C34638
SendMessageW.USER32(00000000,000000CC,?,00000000), ref: 00C34654
RedrawWindow.USER32(00000000,00000000,00000000,00000105), ref: 00C34664
EndDialog.USER32(00000000,00000002), ref: 00C34681
GetDlgItem.USER32(00000000,000007D1), ref: 00C346B3
EndDialog.USER32(00000000,00000001), ref: 00C34740

Strings

PackageCode, xrefs: 00C3445A

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Item$MessageSend$DialogWindow$FocusHeapProcessRedrawText
String ID: PackageCode
API String ID: 264263596-1525858878
Opcode ID: 8bab2aed03df18d4e5d894a46d17e2d1124590da8593b94b7a36aedf84ba9b25
Instruction ID: f1821086ca9e1256205f3bee1e40a875f60530cf4f8f8a76ac8aa46b9dd2773d
Opcode Fuzzy Hash: 8bab2aed03df18d4e5d894a46d17e2d1124590da8593b94b7a36aedf84ba9b25
Instruction Fuzzy Hash: 9ED11131A00205AFDB18DFA8DC49BAEB7B5FF49310F144129F926A72E1DB75AD40CB91

Function 00C1C850 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 190
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 00C1C88D
SetLastError.KERNEL32(0000000E,?,?,?), ref: 00C1C8CA
GetCurrentThreadId.KERNEL32 ref: 00C1C955
SetWindowTextW.USER32(?,00000000), ref: 00C1C9E4
GetDlgItem.USER32(?,000003E9), ref: 00C1C9F2
SetWindowTextW.USER32(00000000,?), ref: 00C1C9FE

Part of subcall function 00C12C70: GetDlgItem.USER32(?,00000002), ref: 00C12C8D
Part of subcall function 00C12C70: GetWindowRect.USER32(00000000,?), ref: 00C12CA3
Part of subcall function 00C12C70: ShowWindow.USER32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00C1C8AD), ref: 00C12CB8
Part of subcall function 00C12C70: InvalidateRect.USER32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00C1C8AD), ref: 00C12CC3
Part of subcall function 00C12C70: GetDlgItem.USER32(?,000003E9), ref: 00C12CD1
Part of subcall function 00C12C70: GetWindowRect.USER32(00000000,?), ref: 00C12CE7
Part of subcall function 00C12C70: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,00000000), ref: 00C12D26

GetDlgItem.USER32(?,00000002), ref: 00C1CA8E
SetWindowTextW.USER32(00000000,00000000), ref: 00C1CA96

Part of subcall function 00ACBC50: RaiseException.KERNEL32(?,?,00000000,00000000,00BD92DC,C0000005,00000001,2E261FC3,00DF8AB8,0553FD28,?,00E01FAC,00DF8AB8,00CE3E70,000000FF), ref: 00ACBC5C

Part of subcall function 00ABB010: RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

Strings

r, xrefs: 00C1C8F5

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Window$Item$RectText$ActiveAllocateCurrentErrorExceptionHeapInvalidateLastRaiseShowThread
String ID: r
API String ID: 1085195845-3729450569
Opcode ID: db091b18dbd9ce92289dd10d8f2ff6dced26bef8ebbfef635aa428664b41279d
Instruction ID: 1482424cb19d1bc2149b7ebae2178ac62838114b05ad5a9b07b02f228896372a
Opcode Fuzzy Hash: db091b18dbd9ce92289dd10d8f2ff6dced26bef8ebbfef635aa428664b41279d
Instruction Fuzzy Hash: DD71BB70900709EFDB11DFA5CC88BAABBB4FF05310F044629F565A72E1CB75A984DBA1

Function 00AF23C0 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 372
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00000043), ref: 00AF24E8
GetProcAddress.KERNEL32(00000000,InitializeEmbeddedUI), ref: 00AF24FA
GetProcAddress.KERNEL32(00000000,ShutdownEmbeddedUI), ref: 00AF2508
GetProcAddress.KERNEL32(00000000,EmbeddedUIHandler), ref: 00AF2517

Part of subcall function 00ABB010: RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

Strings

21.5, xrefs: 00AF260A
ShutdownEmbeddedUI, xrefs: 00AF2500
EmbeddedUIHandler, xrefs: 00AF250E
SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll', xrefs: 00AF2449
build , xrefs: 00AF261F
INAN, xrefs: 00AF23F5
InitializeEmbeddedUI, xrefs: 00AF24F4
e6df463a, xrefs: 00AF262E

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AddressProc$Heap$AllocateLibraryLoadProcess
String ID: build $21.5$EmbeddedUIHandler$INAN$InitializeEmbeddedUI$SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll'$ShutdownEmbeddedUI$e6df463a
API String ID: 230625546-509971943
Opcode ID: dd66a22c4d0999c2ffa7b039864ee4f7c60dcb14b9fc871602550fb87551345e
Instruction ID: d81ef5d8223330e02d543cc68fc6a2d43a5fbcb2c7076a5f06dc0cdbdcbc1188
Opcode Fuzzy Hash: dd66a22c4d0999c2ffa7b039864ee4f7c60dcb14b9fc871602550fb87551345e
Instruction Fuzzy Hash: ECD1D075E006099FCB04DFA8C955BEEBBB5FF48314F148219F915A7381EB74AA05CBA0

Function 00AC3380 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W,?), ref: 00AC3477
GetProcAddress.KERNEL32(00000000), ref: 00AC347E
GetWindowsDirectoryW.KERNEL32(?,00000104,2E261FC3,?,?), ref: 00AC34C4
PathFileExistsW.SHLWAPI(?), ref: 00AC34EC
CreateDirectoryW.KERNEL32(?,?,S-1-5-32-544,10000000,00000001,S-1-5-18,10000000,00000001), ref: 00AC3577

Part of subcall function 00CBCAB5: AcquireSRWLockExclusive.KERNEL32(00E00888,?,?,?,00ABB446,00E0149C,2E261FC3,?,?,00CE3F6D,000000FF,?,00C348BD,2E261FC3,?), ref: 00CBCAC0
Part of subcall function 00CBCAB5: ReleaseSRWLockExclusive.KERNEL32(00E00888,?,?,00ABB446,00E0149C,2E261FC3,?,?,00CE3F6D,000000FF,?,00C348BD,2E261FC3,?), ref: 00CBCAFA

GetTempPathW.KERNEL32(00000104,?,2E261FC3,?,?), ref: 00AC359A

Part of subcall function 00CBCA64: AcquireSRWLockExclusive.KERNEL32(00E00888,?,?,00ABB4B7,00E0149C,00D47860), ref: 00CBCA6E
Part of subcall function 00CBCA64: ReleaseSRWLockExclusive.KERNEL32(00E00888,?,?,00ABB4B7,00E0149C,00D47860), ref: 00CBCAA1
Part of subcall function 00CBCA64: WakeAllConditionVariable.KERNEL32(00E00884,?,?,00ABB4B7,00E0149C,00D47860), ref: 00CBCAAC

Strings

Kernel32.dll, xrefs: 00AC3472
\SystemTemp\, xrefs: 00AC34CA
S-1-5-18, xrefs: 00AC3519
GetTempPath2W, xrefs: 00AC346D
S-1-5-32-544, xrefs: 00AC352A

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ExclusiveLock$AcquireDirectoryPathRelease$AddressConditionCreateExistsFileHandleModuleProcTempVariableWakeWindows
String ID: GetTempPath2W$Kernel32.dll$S-1-5-18$S-1-5-32-544$\SystemTemp\
API String ID: 3143601600-595641723
Opcode ID: 34db876d5c651f56174d05053c72a2a60cddb5211c91045ea3c252b94d9cea53
Instruction ID: 37372019acdddf549df62f6ebebbfaa3b2437a6aa266b81ae086bf94a432a8e4
Opcode Fuzzy Hash: 34db876d5c651f56174d05053c72a2a60cddb5211c91045ea3c252b94d9cea53
Instruction Fuzzy Hash: CCA1B4B1D00218EFDB20DFA5DD89BDDB7B8EB04714F1041A9E509A7291EB746F48CBA1

Function 6C5F1960 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 448
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#47.MSI(?,AiEmbeddedDirectCall,6C66E00C,00000000,?,00000000), ref: 6C5F1A6E
#47.MSI(?,AiEmbeddedDirectCall,6C66E00C,00000000,?,00000000), ref: 6C5F1C1E

Part of subcall function 6C5E1FD0: GetProcessHeap.KERNEL32 ref: 6C5E202C

FindNextFileW.KERNELBASE(00000000,?,00000000,?,6C641A66,*.*,00000003,00000000,?,00000000), ref: 6C5F1D05
DeleteFileW.KERNEL32(00000000,?), ref: 6C5F1F2F

Part of subcall function 6C5E1330: #17.MSI(00000002,?,00000000,?,00000000), ref: 6C5E13F3
Part of subcall function 6C5E1330: #125.MSI(00000000,00000000,[1],?,00000000), ref: 6C5E140A
Part of subcall function 6C5E1330: #125.MSI(00000000,00000001,00000000,?,00000000), ref: 6C5E1417
Part of subcall function 6C5E1330: #103.MSI(?,04000000,00000000,?,00000000), ref: 6C5E1429
Part of subcall function 6C5E1330: #8.MSI(00000000,?,00000000), ref: 6C5E1438

Strings

*.*, xrefs: 6C5F1B00
AiEmbeddedDirectCall, xrefs: 6C5F1A68, 6C5F1C18
Logging is enabled, sending data ..., xrefs: 6C5F1BC2
Logging is disabled, discard collected data., xrefs: 6C5F1A12
session, xrefs: 6C5F1E3C

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: #125File$#103DeleteFindHeapNextProcess
String ID: *.*$AiEmbeddedDirectCall$Logging is disabled, discard collected data.$Logging is enabled, sending data ...$session
API String ID: 1195310492-2699366553
Opcode ID: 023a282a687c4c55aee58a3bc002041c45a432325af6edb78301ddb205f1785f
Instruction ID: af22d92b3694711c10691b73f2ff736b672b48236c72a1e5c0343ee1b3b60bcd
Opcode Fuzzy Hash: 023a282a687c4c55aee58a3bc002041c45a432325af6edb78301ddb205f1785f
Instruction Fuzzy Hash: B4020070901258CBDB1ADB64CC647EEBBB5AF49318F24418CD425A7781DB709F8ACF91

Function 6C6044A0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 343
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,B01345AF,?,00000000), ref: 6C60452B
ReadFile.KERNEL32(?,00000000,00001000,?,00000000,00001000), ref: 6C60459D
ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,?,?), ref: 6C604834
CloseHandle.KERNEL32(?), ref: 6C604895

Strings

4fl, xrefs: 6C604886

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: File$Read$CloseCreateHandle
String ID: 4fl
API String ID: 1724936099-2073650891
Opcode ID: 8b0977cfe3a577b0eac5c8d33ecc0ad822212c72e57eb9bc7db2c60fc21928c4
Instruction ID: 68be2ce200d4fda4ac45af9693f554fdd40ba0dae30ebb14a3b0cb0df0ed953a
Opcode Fuzzy Hash: 8b0977cfe3a577b0eac5c8d33ecc0ad822212c72e57eb9bc7db2c60fc21928c4
Instruction Fuzzy Hash: 20D1A071E01348DBDB24CFA4CA447AEBBB5BF56308F20461DD415BB680E7B4A948CB95

Function 00ACBD40 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159threadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,2E261FC3,?,?,?,00000000,00000000,?), ref: 00ACBD7F
GetCurrentThreadId.KERNEL32 ref: 00ACBDC3
EnterCriticalSection.KERNEL32(00E072EC), ref: 00ACBDE3
LeaveCriticalSection.KERNEL32(00E072EC), ref: 00ACBE07
CreateWindowExW.USER32(00000000,?,00000000,r,?,?,?,?,00000000,?,00000000), ref: 00ACBE61

Part of subcall function 00CBC189: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00C1C8C1,?,?,?), ref: 00CBC18E
Part of subcall function 00CBC189: HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00CBC195

Strings

r, xrefs: 00ACBDCC
AXWIN UI Window, xrefs: 00ACBEEA
r, xrefs: 00ACBE54

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CriticalHeapSection$AllocCreateCurrentEnterErrorLastLeaveProcessThreadWindow
String ID: AXWIN UI Window$r$r
API String ID: 213679520-2110603929
Opcode ID: dea60d0cc7f30fad61b02fc254f0cea91242d8f95b5df493f07487a4f39ff0d3
Instruction ID: da602702aa18fc49f613d31e972f85caacfe2c6cfb2eb90709afa09998a80b6c
Opcode Fuzzy Hash: dea60d0cc7f30fad61b02fc254f0cea91242d8f95b5df493f07487a4f39ff0d3
Instruction Fuzzy Hash: B851AE72604305AFDB20CF99DC46FAABBA9EB44B10F11811EF954E7290D771A804CBB0

Function 00CBBF1B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,00CBC261,00E00844,?,?,?,00C3486D,?,?,?,00000001,?), ref: 00CBBF2D
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00CBC261,00E00844,?,?,?,00C3486D,?,?,?,00000001), ref: 00CBBF42
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00CBBFBE

Strings

AtlThunk_DataToCode, xrefs: 00CBBF81
AtlThunk_InitData, xrefs: 00CBBF6A
AtlThunk_FreeData, xrefs: 00CBBF98
atlthunk.dll, xrefs: 00CBBF3D
AtlThunk_AllocateData, xrefs: 00CBBF53

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 6ba9d278da2f0fcd69a2c4ba20203f34fdfad3aa94c3730abbd37a3921e478cd
Instruction ID: bfdea30e3430642151477cfde25a7bbfb881d65150def17aaf0504dfbd4fc991
Opcode Fuzzy Hash: 6ba9d278da2f0fcd69a2c4ba20203f34fdfad3aa94c3730abbd37a3921e478cd
Instruction Fuzzy Hash: 8401843CA443147FCA159BD1AC46BEA3B54AF027C4F040050BC05772D2DBE1AEC9D9E1

Function 00C10BE0 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 304filethreadCOMMON

Download Yara Rule

APIs

GetExitCodeThread.KERNEL32(?,?,2E261FC3,00000000,00000000,?,?,?,00000000,00D2EA25,000000FF,?,00C09A32,?,000000DC,00000000), ref: 00C10C26

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00C10CDB
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00C10D05

Part of subcall function 00ABA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00AD5436,00000000,*.*,?,?,?,?), ref: 00ABA863

Part of subcall function 00BD5250: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,00000000,?,00E02000,00C280E8,?), ref: 00BD5268
Part of subcall function 00BD5250: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 00BD529A

WriteFile.KERNEL32(?,000000DC,?,000000FF,00000000,CLOSE,00000005), ref: 00C10E8A
FlushFileBuffers.KERNEL32(?), ref: 00C10E93

Part of subcall function 00C34A40: CloseHandle.KERNEL32(?,2E261FC3,?,00000010,?,00000000,00D35363,000000FF,?,00C103F2,00000000,00000000,00000000,00000001,?,0000000D), ref: 00C34A7A

Strings

CLOSE, xrefs: 00C10E4D, 00C10E5F, 00C10E69
Advinst_Estimate_, xrefs: 00C10C72, 00C10C84, 00C10C8E

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ByteCharMultiWide$File$BuffersCloseCodeExitFindFlushHandleHeapProcessResourceThreadWrite
String ID: Advinst_Estimate_$CLOSE
API String ID: 1271795120-755230127
Opcode ID: 1a648ac64eb3f10e4001f5c2676b0025df3cf3d87841635e3e95e39328885a03
Instruction ID: 2299534f52858e11e3785ba1b298d1004e1a0a6e119a84a9abc1805c9c443231
Opcode Fuzzy Hash: 1a648ac64eb3f10e4001f5c2676b0025df3cf3d87841635e3e95e39328885a03
Instruction Fuzzy Hash: EFB1B174A006489FDB00DFA8CC95BAEBBB4AF49320F24415CF425A73D1DB749E45DBA1

Function 00BF8840 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 291fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,2E261FC3,00000000,00000000,?), ref: 00BF889B
GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?,?,00000000,00000000), ref: 00BF8A3D
Wow64DisableWow64FsRedirection.KERNEL32(00000000,?,?,00000000,00000000), ref: 00BF8ADF
CopyFileW.KERNEL32(?,?,00000000,?,?,00000000,00000000), ref: 00BF8B07
Wow64RevertWow64FsRedirection.KERNEL32(00000000,?,?,00000000), ref: 00BF8B33

Part of subcall function 00ABB010: RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

DeleteFileW.KERNEL32(?,2E261FC3,?,00000000,00CE3A40,000000FF,?,80070057,80004005,?), ref: 00BF8BED

Strings

shim_clone, xrefs: 00BF8A37

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Wow64$File$Redirection$AllocateCopyDeleteDisableFolderHeapNamePathRevertTemp
String ID: shim_clone
API String ID: 4011074531-3944563459
Opcode ID: 717a5b5794300aef7c09362f5a2175caf7cfe0cca3da8c63eb2fff0fea42b969
Instruction ID: e9e9eb86f0f397782cce53d6e62320dca5940c5614d16099ef5296e3a9b73d8d
Opcode Fuzzy Hash: 717a5b5794300aef7c09362f5a2175caf7cfe0cca3da8c63eb2fff0fea42b969
Instruction Fuzzy Hash: 84B1F2B5A006589FDB24DB24CC45BBAB7F4EF45300F1480EDE606A7292EF71AE48CB55

Function 6C5EB7D0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 287COMMON

Download Yara Rule

APIs

#47.MSI(?,AiEmbeddedDirectCall,6C66E00C,00000000), ref: 6C5EBB32
#47.MSI(?,AiEmbeddedDirectCall,6C66E00C,00000000), ref: 6C5EC042
#47.MSI(?,AiEmbeddedDirectCall,6C66E00C,00000000), ref: 6C5EBD92

Part of subcall function 6C5E63E0: #171.MSI(00000000,?,6C66E00C,?), ref: 6C5E6416
Part of subcall function 6C5E63E0: #171.MSI(00000000,?,00000000,?,?,055FEE68), ref: 6C5E6456

#47.MSI(?,AiEmbeddedDirectCall,6C66E00C,00000000,?,?,055FEE68), ref: 6C5EC4C2
#47.MSI(?,AiEmbeddedDirectCall,6C66E00C,00000000,?,055FEE68), ref: 6C5EC831
#47.MSI(?,AiEmbeddedDirectCall,6C66E00C,00000000), ref: 6C5EC214

Part of subcall function 6C5E1330: #17.MSI(00000002,?,00000000,?,00000000), ref: 6C5E13F3
Part of subcall function 6C5E1330: #125.MSI(00000000,00000000,[1],?,00000000), ref: 6C5E140A
Part of subcall function 6C5E1330: #125.MSI(00000000,00000001,00000000,?,00000000), ref: 6C5E1417
Part of subcall function 6C5E1330: #103.MSI(?,04000000,00000000,?,00000000), ref: 6C5E1429
Part of subcall function 6C5E1330: #8.MSI(00000000,?,00000000), ref: 6C5E1438

Part of subcall function 6C5E1FD0: GetProcessHeap.KERNEL32 ref: 6C5E202C

Strings

-> , xrefs: 6C5EBAAD
LIMITUI, xrefs: 6C5EB540
Action ended, xrefs: 6C5EC0EF
Track screen: [, xrefs: 6C5EC7A9
LogonUser, xrefs: 6C5EB5EB
4il, xrefs: 6C5EB8FD
AiEmbeddedDirectCall, xrefs: 6C5EBB2C, 6C5EBD8C, 6C5EC03C, 6C5EC20E, 6C5EC4BC, 6C5EC82B
fatal error, xrefs: 6C5EB93C
Warning: , xrefs: 6C5EBD1C
Lifecycle: , xrefs: 6C5EBA92
user abort, xrefs: 6C5EB8E9, 6C5EB951
success, xrefs: 6C5EB889
Exception >> , xrefs: 6C5EC439
Error: , xrefs: 6C5EBFB3
W, xrefs: 6C5EC658
Crash >> , xrefs: 6C5EC18B
xxgl, xrefs: 6C5EB61D
end, xrefs: 6C5EB997, 6C5EBA9E
Info 1720, xrefs: 6C5EC3DD

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: #125#171$#103HeapProcess
String ID: -> $4il$Action ended$AiEmbeddedDirectCall$Crash >> $Error: $Exception >> $Info 1720$LIMITUI$Lifecycle: $LogonUser$Track screen: [$W$Warning: $end$fatal error$success$user abort$xxgl
API String ID: 3629383927-2025538812
Opcode ID: 1af094675954c38511e44a647f9b1e3c73b04d2082080a318b09867c87c774b2
Instruction ID: d7f39322db2648cb20dffb9941035203410496859d3b0f7eb7995700764e4895
Opcode Fuzzy Hash: 1af094675954c38511e44a647f9b1e3c73b04d2082080a318b09867c87c774b2
Instruction Fuzzy Hash: F9B1F370E01244DBCF05DFA9C994BADBBB1FF89318F14814DE411AB780DB749A40CB99

Function 00C0A360 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 00C332B0: GetUserNameW.ADVAPI32(?,?), ref: 00C3332B
Part of subcall function 00C332B0: GetLastError.KERNEL32 ref: 00C33335
Part of subcall function 00C332B0: GetUserNameW.ADVAPI32(?,?), ref: 00C3337D
Part of subcall function 00C332B0: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00C333B7
Part of subcall function 00C332B0: GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,-00000001,00000000), ref: 00C33402

GetCurrentProcess.KERNEL32(00000008,?,?,?,?), ref: 00C0A675
OpenProcessToken.ADVAPI32(00000000), ref: 00C0A67C
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00C0A6AB
CloseHandle.KERNEL32(00000000), ref: 00C0A6C0

Strings

,{, xrefs: 00C0A4C3
,{, xrefs: 00C0A446
\/:*?"<>|, xrefs: 00C0A441

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: EnvironmentNameProcessTokenUserVariable$CloseCurrentErrorHandleInformationLastOpen
String ID: ,{$,{$\/:*?"<>|
API String ID: 3139386598-3763250311
Opcode ID: 054fd8713ac829677ba4d52ffd51e6f70ff720d53edbb096966af394082fbe99
Instruction ID: 99f64060440317d2b03d308b442097e7d9f7269245312956fc4d8e00d5350b90
Opcode Fuzzy Hash: 054fd8713ac829677ba4d52ffd51e6f70ff720d53edbb096966af394082fbe99
Instruction Fuzzy Hash: 47C1CC30D00358CFCB14DFA8C898BEEBBB9BF15304F244259E415AB2D2DB75AA45CB91

Function 6C5F2FC0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 246fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,B01345AF,?,00000000), ref: 6C5F306F
GetFileSize.KERNEL32(00000000,00000000), ref: 6C5F3191
WriteFile.KERNEL32(00000000,0000FEFF,00000002,?,00000000), ref: 6C5F31BD
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C5F31D3
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 6C5F3216
CloseHandle.KERNEL32(00000000), ref: 6C5F327B

Strings

4fl, xrefs: 6C5F326C

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: File$Write$CloseCreateHandlePointerSize
String ID: 4fl
API String ID: 3932932802-2073650891
Opcode ID: 5dbec6765b936de311a47adab79c84ecbcaf153ee8e8b31d3297f83743476cd4
Instruction ID: 4fe2aa447a9239594f5fd2941c27817b1d04bb620ce09058c457d425c570512f
Opcode Fuzzy Hash: 5dbec6765b936de311a47adab79c84ecbcaf153ee8e8b31d3297f83743476cd4
Instruction Fuzzy Hash: 44A170B0D01208DFEB14CFA4CD59BDEBBB5BF45308F208259E424A7681D774AA49CF95

Function 00BF1DE0 Relevance: 10.9, APIs: 7, Instructions: 423fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,2E261FC3,00000000), ref: 00BF1F4B
ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 00BF1FBD
ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,?,00000000), ref: 00BF2269
CloseHandle.KERNEL32(?), ref: 00BF22C7

Part of subcall function 00BF1DE0: LoadStringW.USER32(000000A1,?,00000514,2E261FC3), ref: 00BF1D38

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: File$Read$CloseCreateHandleHeapLoadProcessString
String ID:
API String ID: 2846944389-0
Opcode ID: dee1130ef151b413d362f70e546513f1880ffe2a11113331bec4cb9bf6ef3934
Instruction ID: 39e4eb9a81009f8ca4a596591fa59fbd06a1e724b2104314c92f6d701cb73d18
Opcode Fuzzy Hash: dee1130ef151b413d362f70e546513f1880ffe2a11113331bec4cb9bf6ef3934
Instruction Fuzzy Hash: 87F18F71E00318DBDB14CFA8C958BAEBBF5FF49314F204259E515AB381DB74AA48CB91

Function 00C1A920 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 248fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,?), ref: 00C1AB1E
SetFilePointer.KERNEL32(?,7FFFFFFF,00000000,00000000,?), ref: 00C1AB80
SetEndOfFile.KERNEL32(?), ref: 00C1AB89
CloseHandle.KERNEL32(?), ref: 00C1ABA2

Strings

Not enough disk space to extract file:, xrefs: 00C1A9FB
%sholder%d.aiph, xrefs: 00C1AAFA

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: File$CloseCreateHandlePointer
String ID: %sholder%d.aiph$Not enough disk space to extract file:
API String ID: 22866420-929304071
Opcode ID: d3c64b6f7e11917eea5e0d8242e1099edfc4c6a91b8433acf2f3f4f23e914673
Instruction ID: 4b00bbb7865878bf08a8ac6c161f0ad01d8441b14316848f1652fadce9398e2a
Opcode Fuzzy Hash: d3c64b6f7e11917eea5e0d8242e1099edfc4c6a91b8433acf2f3f4f23e914673
Instruction Fuzzy Hash: 7491BF75A002099FCB04DFA8C945BEEB7B5FF49320F244259E821A7391DB31AE41DFA1

Function 00C39460 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(000000FF,-00000400,?,00000002,00000400,2E261FC3,?,?,?), ref: 00C39506
GetLastError.KERNEL32(?,?,?), ref: 00C39514
ReadFile.KERNEL32(000000FF,00000000,00000400,?,00000000,?,?,?), ref: 00C3952F

Strings

ADVINSTSFX, xrefs: 00C39563, 00C3961E

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: File$ErrorLastPointerRead
String ID: ADVINSTSFX
API String ID: 64821003-4038163286
Opcode ID: a1ffb190667fa812099d62816cb20670391053dacb78f90791a13cf5e94f535f
Instruction ID: 32ea54f497304730dde2dc5280e0055394591b5b1deb8fd9f35ec5c48f483607
Opcode Fuzzy Hash: a1ffb190667fa812099d62816cb20670391053dacb78f90791a13cf5e94f535f
Instruction Fuzzy Hash: 3061FFB1A102098BDF05CF68C885BBFBBB9FF45310F144268E425A7381D7B49E41CB64

Function 00BEE0C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 179fileCOMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,?,00CE8ADD,000000FF,?,00BEE418,?), ref: 00BEE170

Part of subcall function 00ABA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00AD5436,00000000,*.*,?,?,?,?), ref: 00ABA863

RemoveDirectoryW.KERNEL32(?,2E261FC3,?,?,00000000,?,?,00CE8ADD,000000FF,?,00BEE418,?,00000000), ref: 00BEE1AB
GetLastError.KERNEL32(?,2E261FC3,?,?,00000000,?,?,00CE8ADD,000000FF,?,00BEE418,?,00000000), ref: 00BEE1BB
DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,00000000,00CE8ADD,000000FF,?,80004005,2E261FC3), ref: 00BEE290
GetLastError.KERNEL32(?,?,00000000,?,00000000,00CE8ADD,000000FF,?,80004005,2E261FC3,?,?,00000000,?,?,00CE8ADD), ref: 00BEE2DB

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

Strings

\\?\, xrefs: 00BEE131, 00BEE143, 00BEE14D, 00BEE251, 00BEE263, 00BEE26D

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: DirectoryErrorLastRemove$DeleteFileFindHeapProcessResource
String ID: \\?\
API String ID: 728736790-4282027825
Opcode ID: 4334ea4ab5f942a88b423986ad16939f2bdea1741f7642d71d84598dde3e762f
Instruction ID: 262369d3c5f2296a5509b559fb5df906d59371f1696031b371c3a8ff2ec29ab0
Opcode Fuzzy Hash: 4334ea4ab5f942a88b423986ad16939f2bdea1741f7642d71d84598dde3e762f
Instruction Fuzzy Hash: B551D135A00A549FCB009FA9DC58BAEB7E8FF09320F144669E925E7390DB74D904CBA1

Function 6C60E9CA Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6C60EA11
___scrt_uninitialize_crt.LIBCMT ref: 6C60EA2B

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: d833cdaaeb675e98aa76117e20c591b1f7e517dcf6b8e4e6e413036fc2a5cf89
Instruction ID: 6d21c25ad7d3fd3daf146651201c3276d627efded3fc4a1129ba111d2f0a1e70
Opcode Fuzzy Hash: d833cdaaeb675e98aa76117e20c591b1f7e517dcf6b8e4e6e413036fc2a5cf89
Instruction Fuzzy Hash: EA41E332F01639EEDB188F55CB40B9E7BB5EB867A8F104119E89576B90C7308D058BDC

Function 00ACBA61 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00ACBB0F
GetWindowLongW.USER32(?,000000FC), ref: 00ACBB1E
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 00ACBB39
GetWindowLongW.USER32(?,000000FC), ref: 00ACBB53
SetWindowLongW.USER32(?,000000FC,?), ref: 00ACBB65

Strings

$, xrefs: 00ACBA91

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 9189818cc6e5efeee4235b88b461dfbd362ce39aa240bb7af841ab12d65cc44c
Instruction ID: d397877dbef9804d0cc303a175626c3a7ddb2850f2fd06d495f6a72b80adf7ba
Opcode Fuzzy Hash: 9189818cc6e5efeee4235b88b461dfbd362ce39aa240bb7af841ab12d65cc44c
Instruction Fuzzy Hash: D74135B1604706AFC704DF19C885A1AFBF5FB89360F144A1DF994936A0C772ADA4CF92

Function 00BD7370 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,2E261FC3,00000000), ref: 00BD73B5
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00BD73DE
RegCreateKeyExW.KERNEL32(?,00BEBE7F,00000000,00000000,00000000,00000000,00000000,00000000,?,2E261FC3,00000000), ref: 00BD7437
RegCloseKey.ADVAPI32(00000000), ref: 00BD744A

Strings

Advapi32.dll, xrefs: 00BD73B0
RegCreateKeyTransactedW, xrefs: 00BD73D8

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AddressCloseCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1765684683-2994018265
Opcode ID: 832d3360bd505cd5c2a75d7437e71ac91c79e5e5164ec77a05564ffc160c5676
Instruction ID: 1ba7f4d5d5a1a581e3e0842d9d6d987ff9b9fb0e4166cffc981a97ae39d84efc
Opcode Fuzzy Hash: 832d3360bd505cd5c2a75d7437e71ac91c79e5e5164ec77a05564ffc160c5676
Instruction Fuzzy Hash: F2317071A44309AFDB258F55DC45FAAFBB8FB44720F10816AF905E6390EB71A804CBA4

Function 00BF1A80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,2E261FC3,?,00000000,00000000), ref: 00BF1ABA
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00BF1AE0
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000000), ref: 00BF1B4B
FreeLibrary.KERNEL32(00000000), ref: 00BF1B69

Strings

ComCtl32.dll, xrefs: 00BF1AAE
LoadIconMetric, xrefs: 00BF1ADA

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: LibraryLoad$AddressFreeImageProc
String ID: ComCtl32.dll$LoadIconMetric
API String ID: 1597520822-764666640
Opcode ID: 97cb0c3e3f9809830b8b27d4f54c0b8bfe3537e3ef76d975c80a14a120d7b3f9
Instruction ID: 199434d476dbe3d568f52b877c7e3cee698cb8a551b85422d200835008bbbedf
Opcode Fuzzy Hash: 97cb0c3e3f9809830b8b27d4f54c0b8bfe3537e3ef76d975c80a14a120d7b3f9
Instruction Fuzzy Hash: 4C317C71A40219EFDB119FA9DC18BBFBBB9EB45750F000669F915A3390E7764D048BA0

Function 00C12C70 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000002), ref: 00C12C8D
GetWindowRect.USER32(00000000,?), ref: 00C12CA3
ShowWindow.USER32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00C1C8AD), ref: 00C12CB8
InvalidateRect.USER32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00C1C8AD), ref: 00C12CC3
GetDlgItem.USER32(?,000003E9), ref: 00C12CD1
GetWindowRect.USER32(00000000,?), ref: 00C12CE7
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,00000000), ref: 00C12D26

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Window$Rect$Item$InvalidateShow
String ID:
API String ID: 2147159307-0
Opcode ID: b2e44d299a3bc23b6b79f445b33e95b07e28320fd957f1aa6e4d35f6e4846bb1
Instruction ID: 014adff15081601b82f3ab1ea629333f008d7601d51f46c6fe3b305e5fd106e9
Opcode Fuzzy Hash: b2e44d299a3bc23b6b79f445b33e95b07e28320fd957f1aa6e4d35f6e4846bb1
Instruction Fuzzy Hash: 1E21AC31614305AFE300DF35DD49B6BBBE9EF8D700F048629F955E2290EB70AD948B92

Function 00C17490 Relevance: 9.4, APIs: 6, Instructions: 447fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,2E261FC3,00000000), ref: 00C174F7
GetLastError.KERNEL32 ref: 00C1782A
GetLastError.KERNEL32 ref: 00C178BA
GetLastError.KERNEL32 ref: 00C17506

Part of subcall function 00BF18D0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,2E261FC3,?,00000000), ref: 00BF191B
Part of subcall function 00BF18D0: GetLastError.KERNEL32(?,00000000), ref: 00BF1925

ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 00C17619
ReadFile.KERNEL32(?,?,00000000,00000000,00000000,00000001), ref: 00C17670

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ErrorLast$File$Read$FormatMessagePointer
String ID:
API String ID: 3903527278-0
Opcode ID: 63d856158450596ebd79b8b3577ee22947c96ec30ad2b36f30e4f6c26fd7ad44
Instruction ID: ecfe04917cf14a2a871acdc3b451d4e6939a62cc9dbfeaaad229e1abe6da44f3
Opcode Fuzzy Hash: 63d856158450596ebd79b8b3577ee22947c96ec30ad2b36f30e4f6c26fd7ad44
Instruction Fuzzy Hash: 5A029F71E006099FDB04DFA8C944BEEBBB5FF49320F144259E425E7391EB34AA45CBA0

Function 00C0ACB0 Relevance: 9.4, APIs: 3, Strings: 2, Instructions: 615COMMON

Download Yara Rule

Strings

\\?\, xrefs: 00C0B1FA
/i , xrefs: 00C0B2C7

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: FindResource
String ID: /i $\\?\
API String ID: 1635176832-3071488798
Opcode ID: 69f5539bce6152d5e423401c1c8cab65448d61df4dd0447fc00803ab960861bf
Instruction ID: 505b7bba3b89873b619b889898dcc8bd284a5fd5de5db9bb99d49b395b6c1433
Opcode Fuzzy Hash: 69f5539bce6152d5e423401c1c8cab65448d61df4dd0447fc00803ab960861bf
Instruction Fuzzy Hash: E6329A70A00609DFDB18DFA8C858BADBBB5BF45314F144219E426A73E1DB74AE46CF90

Function 00C1CAC0 Relevance: 9.1, APIs: 6, Instructions: 69threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00C3B900,00D92234,00000000,?), ref: 00C1CB3D
GetLastError.KERNEL32 ref: 00C1CB4A
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 00C1CB73
GetExitCodeThread.KERNEL32(00000000,?), ref: 00C1CB8D
TerminateThread.KERNEL32(00000000,00000000), ref: 00C1CBA5
CloseHandle.KERNEL32(00000000), ref: 00C1CBAE

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Thread$CloseCodeCreateErrorExitHandleLastObjectSingleTerminateWait
String ID:
API String ID: 1566822279-0
Opcode ID: 3ac4f6a6cabf83c2dbd509358c199c39021cedb61b1075778f13bddd14fdb448
Instruction ID: 04b9de408a7b7cbd5034554d7c61bcc0d5f1cad465766f1a963bc94ab8e1aec8
Opcode Fuzzy Hash: 3ac4f6a6cabf83c2dbd509358c199c39021cedb61b1075778f13bddd14fdb448
Instruction Fuzzy Hash: 1D31E3B4940209ABDF10CF94CD59BEEBBB8FB09724F200669E820F6390D7759A44CB64

Function 00BF8E90 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 217COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(80004005,00CF0135,2E261FC3,?,?,00000000,00000000,?,00000000,00CF0135,000000FF,?,80004005,2E261FC3,?,00000000), ref: 00BF8EF5
GetFileVersionInfoW.KERNELBASE(80004005,?,00000000,000000FF,00000000,?,?,00000000,00000000,?,00000000,00CF0135,000000FF,?,80004005,2E261FC3), ref: 00BF8F43

Strings

ProductName, xrefs: 00BF8FB1
\VarFileInfo\Translation, xrefs: 00BF8F85
\StringFileInfo\%04x%04x\%s, xrefs: 00BF8FBB

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: FileInfoVersion$Size
String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 2104008232-2149928195
Opcode ID: cdcc003440cb05eccdd23d0563105a66b3e732118631fa942795375c81fb4dba
Instruction ID: 4e320c43edba43331b3f757cb09d0f2c56295e1fac6069bcefba65b11afca4c6
Opcode Fuzzy Hash: cdcc003440cb05eccdd23d0563105a66b3e732118631fa942795375c81fb4dba
Instruction Fuzzy Hash: 29719130A0020DDFDB04DFA8C999BBEBBF9EF45314F1441A9E611A7291DB359D09CBA1

Function 00BEDEA0 Relevance: 7.7, APIs: 5, Instructions: 174fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,00D8A6C0,00000001,2E261FC3,?,0000000A,?,00000000,00D288D5,000000FF), ref: 00BEDFB7
SetFileAttributesW.KERNEL32(?,00000000), ref: 00BEDFC8
GetFileAttributesW.KERNEL32(?,?,?,00D8A6C0,00000001,2E261FC3,?,0000000A,?,00000000,00D288D5,000000FF), ref: 00BEDFDB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00BEDFEC
FindNextFileW.KERNELBASE(?,?), ref: 00BEE03C

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: File$Attributes$FindNext
String ID:
API String ID: 3019667586-0
Opcode ID: 5353c715c362fdf7c957eb1321a2c4f2085b5d2426a5a726fe01b715bf52da47
Instruction ID: ac46063ec0fa63bbd591d138a5f7517bd0aaa043162e2a6dce587415e91029dc
Opcode Fuzzy Hash: 5353c715c362fdf7c957eb1321a2c4f2085b5d2426a5a726fe01b715bf52da47
Instruction Fuzzy Hash: 8751D330500289DFDB24DF6ACD59BEEB7B4FF05310F044269E826972E1DBB49A04CB51

Function 6C60EA7A Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6C60EAB7
dllmain_crt_dispatch.LIBCMT ref: 6C60EACE
dllmain_raw.LIBCMT ref: 6C60EB16
dllmain_crt_dispatch.LIBCMT ref: 6C60EB29
dllmain_raw.LIBCMT ref: 6C60EB3C

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: e0297e0ed0ef64648a75794ef492f62be008b4182389f40b44651fbb10df4a9a
Instruction ID: fc27660ef54567a982b98856fb8219128683d93a9b32a9638848d81f3449d383
Opcode Fuzzy Hash: e0297e0ed0ef64648a75794ef492f62be008b4182389f40b44651fbb10df4a9a
Instruction Fuzzy Hash: C8219172F01639EECB295E55CF80AAF7E69EB867A8F014115F89577B90C7308D018BD8

Function 00BEF430 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjectsEx.USER32(00000001,000000FF,000000FF,000005FF,00000004), ref: 00BEF447
PeekMessageW.USER32(?,00000000), ref: 00BEF478
TranslateMessage.USER32(00000000), ref: 00BEF487
DispatchMessageW.USER32(00000000), ref: 00BEF492
MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 00BEF4A8

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
String ID:
API String ID: 4084795276-0
Opcode ID: a9af5542e3aeac155528aa14a23d7a144f0d6c055bdb624bcb6d66b1adebf2ae
Instruction ID: bb9a4222d766d985901996a123230d08ae4da907a5c9a7400515714949b5eb58
Opcode Fuzzy Hash: a9af5542e3aeac155528aa14a23d7a144f0d6c055bdb624bcb6d66b1adebf2ae
Instruction Fuzzy Hash: 8F01B170A443067FE7208B528D49B7B77ECEB48B10F548639B668E11C0E779D6888B22

Function 00BEE1E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,00000000,00CE8ADD,000000FF,?,80004005,2E261FC3), ref: 00BEE290

Part of subcall function 00ABA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00AD5436,00000000,*.*,?,?,?,?), ref: 00ABA863

DeleteFileW.KERNEL32(?,2E261FC3,?,?,?,?,00000000,00CE8ADD,000000FF,?,00BEDFFA), ref: 00BEE2CB
GetLastError.KERNEL32(?,?,00000000,?,00000000,00CE8ADD,000000FF,?,80004005,2E261FC3,?,?,00000000,?,?,00CE8ADD), ref: 00BEE2DB

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

Strings

\\?\, xrefs: 00BEE131, 00BEE143, 00BEE14D, 00BEE251, 00BEE263, 00BEE26D

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: DeleteFile$ErrorFindHeapLastProcessResource
String ID: \\?\
API String ID: 2079828947-4282027825
Opcode ID: d5b81ccab9fa1833414071ba4ac65ceb4df0dfa5c9fd672d6889b5007bac1244
Instruction ID: 869b0de31927683c152e86265496cb5789424fe1b04818bc1025fea6dbd2babb
Opcode Fuzzy Hash: d5b81ccab9fa1833414071ba4ac65ceb4df0dfa5c9fd672d6889b5007bac1244
Instruction Fuzzy Hash: 3831B1356006559FCB009FA9D858BAEB7E8FF09320F144569EA21D7391DB749D04CB60

Function 6C5DFB20 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 6C5DFB7D
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C5DFBA2

Strings

AABBCCDD, xrefs: 6C5DFBB6
%08X, xrefs: 6C5DFBD4

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: FolderInformationPathVolume
String ID: %08X$AABBCCDD
API String ID: 1564939276-726327320
Opcode ID: b5f9ea89a797ecd59102e1d4646675e2e27c7156004c067d682b24a2307e276d
Instruction ID: 4d77aaad4f7cf947eada95dc84aa79185dc0633c2bd5b299c2acf672e182be80
Opcode Fuzzy Hash: b5f9ea89a797ecd59102e1d4646675e2e27c7156004c067d682b24a2307e276d
Instruction Fuzzy Hash: 1E31A8B0A043189BDB20CF24DC44BEAB7F8EF49704F504699F905A7680D7746A84CF98

Function 00C135B0 Relevance: 6.2, APIs: 4, Instructions: 160fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,2E261FC3), ref: 00C1368D
GetLastError.KERNEL32 ref: 00C13695
RemoveDirectoryW.KERNEL32(?,2E261FC3), ref: 00C136FD
GetLastError.KERNEL32 ref: 00C13705

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ErrorLast$DeleteDirectoryFileRemove
String ID:
API String ID: 50330452-0
Opcode ID: bce8fc1276fed1bafc97cf23c5bca9a547c17c6083f8cc09b7d63f1ae1622ee4
Instruction ID: fcf828020498319ae885df18ebbde963d17e8f4952704180992a68854d11d59c
Opcode Fuzzy Hash: bce8fc1276fed1bafc97cf23c5bca9a547c17c6083f8cc09b7d63f1ae1622ee4
Instruction Fuzzy Hash: 6351C5B1900255DFDF10DF64C998BEDBBB1FF02308F1541A8E815AB391D735AA88DBA1

Function 00C09BD0 Relevance: 6.2, APIs: 4, Instructions: 159fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,2E261FC3,?,00000010,?,00C0E130,000000FF), ref: 00C09C36
SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 00C09C7F
ReadFile.KERNEL32(00000000,2E261FC3,?,000000FF,00000000,00000078,?), ref: 00C09CC1
CloseHandle.KERNEL32(00000000), ref: 00C09D58

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: File$CloseCreateHandlePointerRead
String ID:
API String ID: 4133201480-0
Opcode ID: 446cbdf38280e54a7d37f67a572df08c7778733ca4bf20b1f27709faf2639c86
Instruction ID: fd1211f872e5f2b6c556b77a648e881d28b0d33405879c49970be47dc5757bc0
Opcode Fuzzy Hash: 446cbdf38280e54a7d37f67a572df08c7778733ca4bf20b1f27709faf2639c86
Instruction Fuzzy Hash: 03519171A00209EBDB15CFA8CC48BAEBBB9EF05724F244259E521A73D1D7749E05CBA0

Function 00BF8D80 Relevance: 6.1, APIs: 4, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF8840: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,2E261FC3,00000000,00000000,?), ref: 00BF889B

GetFileVersionInfoSizeW.KERNELBASE(?,00000000,?,2E261FC3,00000000,?,?,?,?,00000000,00D2A265,000000FF,00000000,00BF8D36,?), ref: 00BF8DCD
GetFileVersionInfoW.KERNELBASE(?,00000000,00D2A265,00000000,00000000,?,?,00000000,00D2A265,000000FF,00000000,00BF8D36,?), ref: 00BF8DF9
GetLastError.KERNEL32(?,?,00000000,00D2A265,000000FF,00000000,00BF8D36,?), ref: 00BF8E3E
DeleteFileW.KERNEL32(?), ref: 00BF8E51

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: File$InfoVersion$DeleteErrorFolderLastPathSize
String ID:
API String ID: 2825328469-0
Opcode ID: 2b7a7e881776a96c52a74c1bcacd9347109a8586aed3d2d42dfcf8fc5358fc29
Instruction ID: eb649cf1cc81c359573d394487f9c8014d808e8af452f7b20272e73df3545c04
Opcode Fuzzy Hash: 2b7a7e881776a96c52a74c1bcacd9347109a8586aed3d2d42dfcf8fc5358fc29
Instruction Fuzzy Hash: 35315C75901209AFDB11CFA5D984BEFBBB8EF08710F144169E909B3251DB359948CBA1

Function 00C12C00 Relevance: 6.0, APIs: 4, Instructions: 28threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C12C09
DestroyWindow.USER32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00D2DBA0), ref: 00C12C18
PostMessageW.USER32(?,00000401,00000000,00000000), ref: 00C12C35
IsWindow.USER32(?), ref: 00C12C43

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Window$CurrentDestroyMessagePostThread
String ID:
API String ID: 3186974096-0
Opcode ID: 926ce41d5291d82948df56d8164a3ac271c241ab41005e1de0c1281d339eb2b7
Instruction ID: b117f768ee61bb86f4171a36ce5b0bc5205f2a0d6365e8bcf860273312a01b79
Opcode Fuzzy Hash: 926ce41d5291d82948df56d8164a3ac271c241ab41005e1de0c1281d339eb2b7
Instruction Fuzzy Hash: A9F0A7341057409FE7359B25EE18B97BFE0BF0AB00F04085CE186969A1D7B5F4C4CB58

Function 6C605020 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 480COMMON

Download Yara Rule

APIs

Part of subcall function 6C5E1FD0: GetProcessHeap.KERNEL32 ref: 6C5E202C

PathIsUNCW.SHLWAPI(00000010), ref: 6C6052F3

Strings

\\?\UNC\, xrefs: 6C6050D1, 6C6051B2, 6C6051B8
\\?\, xrefs: 6C605285, 6C60528B

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: HeapPathProcess
String ID: \\?\$\\?\UNC\
API String ID: 300331711-3019864461
Opcode ID: 1614bc3f25fedab29e15f57b32b1b855e2ba8f15d18966ebaf73373c9cdfd556
Instruction ID: f22fc01ed9dee24844cb8c0825467bde69546fbd161ad4caffa19777b31bf88f
Opcode Fuzzy Hash: 1614bc3f25fedab29e15f57b32b1b855e2ba8f15d18966ebaf73373c9cdfd556
Instruction Fuzzy Hash: 5402C431B01505CBDF09CFA8C9847AEB7B5FF89328F148259D521A7781DB74AD06CB98

Function 00BEE6E0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 387COMMON

Download Yara Rule

APIs

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

PathIsUNCW.SHLWAPI(?,?), ref: 00BEE8AD

Strings

\\?\, xrefs: 00BEE88F, 00BEE895
\\?\UNC\, xrefs: 00BEE789, 00BEE811, 00BEE817

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: HeapPathProcess
String ID: \\?\$\\?\UNC\
API String ID: 300331711-3019864461
Opcode ID: 824e569bca54c506b481b6bca3cdbfdc9cbda9accec1d1f86bfc84204bf2dbc2
Instruction ID: efa074fe98ab01fd4b234b49ccce58e05f9a27c88b65bf4f2055575e95525dda
Opcode Fuzzy Hash: 824e569bca54c506b481b6bca3cdbfdc9cbda9accec1d1f86bfc84204bf2dbc2
Instruction Fuzzy Hash: AAD1CF31A006498BDB00DBA9CC94BAEB7F9FF48324F1441A9E525E73D1DB74AD05CBA0

Function 00AC3B40 Relevance: 4.9, APIs: 3, Instructions: 352fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,?,00000000,?,2E261FC3,?), ref: 00AC3BBA
MoveFileW.KERNEL32(?,00000000), ref: 00AC3DFD
DeleteFileW.KERNEL32(?), ref: 00AC3E47

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: File$DeleteMoveNameTemp
String ID:
API String ID: 788073729-0
Opcode ID: af6715c7d979fc2e52381af34afd6cb9edf66c6decac8baa442880992044508a
Instruction ID: 1a0602e82c7bbc33c0a3738a663a46ed5fcfe67d60f07a18c13df90d61767d7a
Opcode Fuzzy Hash: af6715c7d979fc2e52381af34afd6cb9edf66c6decac8baa442880992044508a
Instruction Fuzzy Hash: 36F18A71D142699ACB24DF28CD98BEDBBB4AF54304F1082DDE409A7291EB756BC4CF81

Function 00AC3780 Relevance: 4.8, APIs: 3, Instructions: 276fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,00000000,00000000,?,2E261FC3,?,00000004), ref: 00AC37DB
DeleteFileW.KERNEL32(?,?,00000004), ref: 00AC381F
CreateDirectoryW.KERNEL32(?,00000000,?,00000004), ref: 00AC382E

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: File$CreateDeleteDirectoryNameTemp
String ID:
API String ID: 2411147693-0
Opcode ID: 0ba18e31f5a15c369917e06d243d550ede2be6b04ac0732ce03221945c75dcd8
Instruction ID: 8a20e6a7742f0836e8b88a0a03e68a45c59a79511f6f2e4766093efdc651ca6e
Opcode Fuzzy Hash: 0ba18e31f5a15c369917e06d243d550ede2be6b04ac0732ce03221945c75dcd8
Instruction Fuzzy Hash: 22B1C071D00248DBDB14DF68C999BEDBBB4EF55304F24829DE815A7281EB746B84CF90

Function 00C59690 Relevance: 4.7, APIs: 3, Instructions: 212synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00C59CB0: OpenEventW.KERNEL32(00000000,00000000,2E261FC3,_pbl_evt,00000008,?,?,00D8D49C,00000001,2E261FC3,?), ref: 00C59D5E
Part of subcall function 00C59CB0: CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 00C59D7B

WaitForSingleObject.KERNEL32(00000000,00000000,00000001,2E261FC3,?,?), ref: 00C596DE
ResetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00D38BD9,000000FF), ref: 00C596F3

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Event$CreateObjectOpenResetSingleWait
String ID:
API String ID: 2109722436-0
Opcode ID: 51fe5d538df77829f742ff5787dc1c1e2a546de4f70e882b6da7a7e9807d8c06
Instruction ID: 8e50945279c85d6fdb29c8d3a63a1df9d73f3101738299aedc5606c401b63b11
Opcode Fuzzy Hash: 51fe5d538df77829f742ff5787dc1c1e2a546de4f70e882b6da7a7e9807d8c06
Instruction Fuzzy Hash: D481B071D00244DBDB14CFA8C845B9EBBB0FF55314F24829DE818AB391D775AA86CB94

Function 00C13DA0 Relevance: 4.7, APIs: 3, Instructions: 196fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,2E261FC3,00000000,00000010,?,00000010,?), ref: 00C13E3B
GetLastError.KERNEL32 ref: 00C13E7D
GetLastError.KERNEL32(?), ref: 00C13F21

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID:
API String ID: 1722934493-0
Opcode ID: e01cd38dd65dca409de733c8b985ee7d36fb8b6583e492182992e092f5c41315
Instruction ID: 650e41cdec16e8d76a2ea36d07320fafd5927d6a80235d585330233a6ee099dd
Opcode Fuzzy Hash: e01cd38dd65dca409de733c8b985ee7d36fb8b6583e492182992e092f5c41315
Instruction Fuzzy Hash: 9A61FF31A00A06AFCB18DF69D845BAAF3B5FF45324F144659E425E33D0EB71BA02CB90

Function 6C605530 Relevance: 4.7, APIs: 3, Instructions: 187COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,B01345AF,00000000,?,?,?,00000000,6C6449A5,000000FF,?,6C5F5416,?,00000000), ref: 6C605579
CreateDirectoryW.KERNEL32(6C6449A5,00000000,?,?,6C66E130,00000001), ref: 6C60562A
GetLastError.KERNEL32 ref: 6C605634

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID:
API String ID: 953296794-0
Opcode ID: 50b99515267dfcd3cc3330d9eaccec08fc25f0dcd63bbddae49c59ddb0d487fb
Instruction ID: abc6e538dc81c7358e4b1a35b56131056aa90f57dab7e349a8bb6a2d13ca6f45
Opcode Fuzzy Hash: 50b99515267dfcd3cc3330d9eaccec08fc25f0dcd63bbddae49c59ddb0d487fb
Instruction Fuzzy Hash: 73617C70A01209CFDB08DFA8C994BEEB7B5FB49328F148659D411B7790DB359909CF98

Function 00C4C960 Relevance: 4.7, APIs: 3, Instructions: 185fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00C4D941,40000000,00000001,00000000,00000002,00000080,00000000,2E261FC3,?,?), ref: 00C4C9C2
WriteFile.KERNEL32(00000000,?,0000C800,0000C800,00000000,?,0000C800), ref: 00C4CA68
CloseHandle.KERNEL32(00000000,?,0000C800), ref: 00C4CADC

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: b30c5d75525559d57609788ba13f4135e4d1dc6b08c60c194f284ba7746ad290
Instruction ID: e29db0271f03a2f2880ee60a01fd4b752243e97369d2b89218187dd083f71b34
Opcode Fuzzy Hash: b30c5d75525559d57609788ba13f4135e4d1dc6b08c60c194f284ba7746ad290
Instruction Fuzzy Hash: 1E51AD71A01209AFDB10DFA4D985BEEBBB9FF48710F204219F811B7290DB759E04CBA4

Function 00BEEAF0 Relevance: 4.7, APIs: 3, Instructions: 185COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,2E261FC3,00000000,?,?,?,?,?,00D28AB5,000000FF,?,00C0237C,00000000,?,?), ref: 00BEEB3B
CreateDirectoryW.KERNEL32(00D28AB5,00000000,?,00000000,00D85B58,00000001), ref: 00BEEBFA
GetLastError.KERNEL32 ref: 00BEEC08

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID:
API String ID: 953296794-0
Opcode ID: a99663420d65d334de54ce89e9b414e4663fa71543a56c46406a4f15ba9624da
Instruction ID: 0c87e29a05f634c425108b6e1861127218568f5545f5e27a50826b32f754bacf
Opcode Fuzzy Hash: a99663420d65d334de54ce89e9b414e4663fa71543a56c46406a4f15ba9624da
Instruction Fuzzy Hash: 9C618130A00649DFDB04DFA9C895BADB7F4FF18314F1485A9E422E7391EB35A905CBA1

Function 00BEC700 Relevance: 4.6, APIs: 3, Instructions: 145fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,0000002A,00000000,?,2E261FC3), ref: 00BEC770
DeleteFileW.KERNEL32(?,?,00000000,0000002A,00000000,?,2E261FC3), ref: 00BEC80B
FindNextFileW.KERNEL32(?,?), ref: 00BEC862

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: File$Delete$FindNext
String ID:
API String ID: 1410743141-0
Opcode ID: 370557ca70d2ed0804ad9822ea8ee5bfb36cee40b9b73d4f5ae86ffcf66b8e73
Instruction ID: 0845fcc19692c1d008c75ec83d070049e758936ae28d6391d55a2b080cd78aea
Opcode Fuzzy Hash: 370557ca70d2ed0804ad9822ea8ee5bfb36cee40b9b73d4f5ae86ffcf66b8e73
Instruction Fuzzy Hash: C751A0349012588FDB24DF29C998BADBBF5EF05310F1442D9E819A7381EB309E42CF51

Function 00C1AC10 Relevance: 4.6, APIs: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,00000000,?,00000000,80004005,?,?,?,?,?,?), ref: 00C1AC35
CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,00000080,00000000,2E261FC3,00000000,00000000,80004005,?,?,?,?,?), ref: 00C1ACAD
CloseHandle.KERNEL32(?,?,00D747C0), ref: 00C1AD16

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: File$CloseCreateDeleteHandle
String ID:
API String ID: 3273607511-0
Opcode ID: 1b1464975b247ee237f765dd320884e1f0d3458fb24cd889700276ea3e8a6b2c
Instruction ID: 860cbc113e5c9642890a3597aa9c8dc3f09629f30c1065f34c90cd12ec9d5ee7
Opcode Fuzzy Hash: 1b1464975b247ee237f765dd320884e1f0d3458fb24cd889700276ea3e8a6b2c
Instruction Fuzzy Hash: 00314831500608EFCB24DF54DD45BDEB7F4FB06710F10862AE929AB680DB712A44DBE1

Function 00C12A00 Relevance: 4.6, APIs: 3, Instructions: 80COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00C12356), ref: 00C12A00
EnableWindow.USER32(?,00000000), ref: 00C12A95
DestroyWindow.USER32(00000000,00000000), ref: 00C12ABB

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Window$DestroyEnableErrorLast
String ID:
API String ID: 2755773105-0
Opcode ID: be30d96d28002abef5e439b4997672c07af9f105cee8c5a6596c56c6b75074a5
Instruction ID: 9990a0d32d1ff94480e49461fb47ec37eab9c1a7d53212f0374243a6fbf639e2
Opcode Fuzzy Hash: be30d96d28002abef5e439b4997672c07af9f105cee8c5a6596c56c6b75074a5
Instruction Fuzzy Hash: 1B21D27A60020D9BD720AF18E8027EA7794EB56320F004662FD14C7791D7B6E9B5EBF1

Function 00CC7D10 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00CC7D0A,?,00CC1722,?,?,2E261FC3,00CC1722,?), ref: 00CC7D21
TerminateProcess.KERNEL32(00000000,?,00CC7D0A,?,00CC1722,?,?,2E261FC3,00CC1722,?), ref: 00CC7D28
ExitProcess.KERNEL32 ref: 00CC7D3A

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: eab00ed769689c462821ef70bd722b20bb3499e6801904d1daf6f915150266db
Instruction ID: f14dd0f569826ff1c2cccf7a49b737f85d8a4eba3465837911875c9cd6c1ddbe
Opcode Fuzzy Hash: eab00ed769689c462821ef70bd722b20bb3499e6801904d1daf6f915150266db
Instruction Fuzzy Hash: 59D05E35004208BFCF002F61DC0DEAA7F2AFF42341B440114F91696231CB728982DE90

Function 00BEEF70 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,2E261FC3,00000000,00000000), ref: 00BEF132

Part of subcall function 00BEF210: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,80004005), ref: 00BEF21D

Strings

USERPROFILE, xrefs: 00BEEFCA

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: EnvironmentFolderHeapPathProcessSpecialVariable
String ID: USERPROFILE
API String ID: 2976596683-2419442777
Opcode ID: d4d0ac2dfaa62541c3c4b17b14c00d4f4400c1aa084f236cb91563af6972875e
Instruction ID: d4c28261fe4ea758336f0db858d834d5fa250ab2d98840c46acda037803952e4
Opcode Fuzzy Hash: d4d0ac2dfaa62541c3c4b17b14c00d4f4400c1aa084f236cb91563af6972875e
Instruction Fuzzy Hash: D671D075A002499FDB14DF69C859BBEB7E9FF84310F144269E815AB382DB74A900CBA1

Function 00C3BF10 Relevance: 3.2, APIs: 2, Instructions: 158COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C3BF62
EndDialog.USER32(00000000,00000001), ref: 00C3BF71

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: DialogWindow
String ID:
API String ID: 2634769047-0
Opcode ID: 8396e775d387e770d4e374ea635e013635bb4f7ab28b5c1b79ed24be669df12b
Instruction ID: 15047137477eb9128c5da1531d386634ad5de721367bd078110afb106605dc38
Opcode Fuzzy Hash: 8396e775d387e770d4e374ea635e013635bb4f7ab28b5c1b79ed24be669df12b
Instruction Fuzzy Hash: 3861AC34A01644DFCB05CF68C94875DBBB4BF49320F1982A9E815AB3A1C775AE05CB91

Function 00C17140 Relevance: 3.1, APIs: 2, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 627ef4cdb0187f04ad5d475f3376ecef5c6003b1ee8cb059123aaf08455b85c6
Instruction ID: 348a60d4b068d5c76fc98ca56e307ca76dd87a56ef9a5fc3d3cd81f08c7c01b2
Opcode Fuzzy Hash: 627ef4cdb0187f04ad5d475f3376ecef5c6003b1ee8cb059123aaf08455b85c6
Instruction Fuzzy Hash: 0D518E31A046098FCB14DF68D894AEDB7B1FF49320F144669E825E7391DB34AA45DF60

Function 00B866B0 Relevance: 3.1, APIs: 2, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 00B866FA
DestroyWindow.USER32(00000004,?,?,?,?,?,?,?,?,000000FF), ref: 00B86707

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Window$Destroy
String ID:
API String ID: 3707531092-0
Opcode ID: d50ceb4a955a512fc1cac891eb36c3ba0ae0a28c58c52ba3651e58aed1fb3ff0
Instruction ID: 3bfb400ba92aaac0d7dd4f8db9eb285d289cee12c0ff6e298681c6cfd7a57eb8
Opcode Fuzzy Hash: d50ceb4a955a512fc1cac891eb36c3ba0ae0a28c58c52ba3651e58aed1fb3ff0
Instruction Fuzzy Hash: 62317F70805649EECB00DF68C94578EFBF8FF11314F1046A9E055A7792DBB5AA08CBD1

Function 00BF24C0 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF1A80: LoadLibraryW.KERNEL32(ComCtl32.dll,2E261FC3,?,00000000,00000000), ref: 00BF1ABA
Part of subcall function 00BF1A80: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00BF1AE0
Part of subcall function 00BF1A80: FreeLibrary.KERNEL32(00000000), ref: 00BF1B69

Part of subcall function 00BF1A80: LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000000), ref: 00BF1B4B

SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BF2502
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BF2511

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: LibraryLoadMessageSend$AddressFreeImageProc
String ID:
API String ID: 2968665230-0
Opcode ID: 8cf179bf6f814f6dbc4898e978df2c6baea4f99e3a0b9bbff2083426a73dac32
Instruction ID: c8a22341f43295b99fe8de81752bcb52328620e7004a8a0e1b736f4160cb37ee
Opcode Fuzzy Hash: 8cf179bf6f814f6dbc4898e978df2c6baea4f99e3a0b9bbff2083426a73dac32
Instruction Fuzzy Hash: ADF0B4327513147BE710565D4C46F7BB29DDBC4B20F148629F654AB2D1D9E26C0503D9

Function 00CD4746 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00CD6744,00000000,00CD24EA,00000000,?,00CC652A,00000000,00CD24EA,?,?,?,?,00CD22E4), ref: 00CD475C
GetLastError.KERNEL32(?,?,00CD6744,00000000,00CD24EA,00000000,?,00CC652A,00000000,00CD24EA,?,?,?,?,00CD22E4), ref: 00CD4767

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 7764001302b13c1d9963c83c0d5598f7bc30bcdda6cdf095394b465a73fcacc0
Instruction ID: b7082a1472eeb8c1cc88ec400992e523c161514ddecbdf4551d0624c544ce46a
Opcode Fuzzy Hash: 7764001302b13c1d9963c83c0d5598f7bc30bcdda6cdf095394b465a73fcacc0
Instruction Fuzzy Hash: EAE0CD311003146BCB113FF7EC09B597B59DB42355F450055F708D6171CB358980D7A5

Function 6C61E3BE Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,6C62576A,?,00000000,?,?,6C625A0B,?,00000007,?,?,6C624E96,?,?), ref: 6C61E3D4
GetLastError.KERNEL32(?,?,6C62576A,?,00000000,?,?,6C625A0B,?,00000007,?,?,6C624E96,?,?), ref: 6C61E3DF

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 8eb2acb77f7954dc957d5dfb89c80b86cc4ac43a985382d1511425a82533fa85
Instruction ID: d90ad0475367d956d282a56b189e71b3eb91463605a607ba19252b9c9da8ff9e
Opcode Fuzzy Hash: 8eb2acb77f7954dc957d5dfb89c80b86cc4ac43a985382d1511425a82533fa85
Instruction Fuzzy Hash: C5E086726092146BCB212FB6D84CB893B78EB4679BF148060F70886E50DB348440D7CC

Function 00BD5250 Relevance: 2.6, APIs: 2, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,00000000,?,00E02000,00C280E8,?), ref: 00BD5268
MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 00BD529A

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 41a5285de351fcc39a9e45d17226f6b65381ae53e1f83e928c138cb46b0dd251
Instruction ID: 88823681447d837f7c31a0359ff763d98cd77a4c610e9ea8625d0ecda1fa5fb8
Opcode Fuzzy Hash: 41a5285de351fcc39a9e45d17226f6b65381ae53e1f83e928c138cb46b0dd251
Instruction Fuzzy Hash: DA01D635301611AFD6209B99DC99F5EF79AEF94321F20411EF214DB3D5CB616C1187A0

Function 00CA0D60 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877f83b54bccbc51ef5843e315b823d681a4c7229c36511def02ef8fa12b51b4
Instruction ID: 9bc7f64a9e4b1f3704d3da98ea6b897fee381765f81ff31b24e3ba17c0e87979
Opcode Fuzzy Hash: 877f83b54bccbc51ef5843e315b823d681a4c7229c36511def02ef8fa12b51b4
Instruction Fuzzy Hash: 0AA147B5901605DFDB00CFA8D88479EBBF4FF09314F2485ADE819AB391D775AA04CBA1

Function 00C3AC30 Relevance: 1.7, APIs: 1, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,2E261FC3), ref: 00C3AC64

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: e93a8781fd79e56bc3cc4993746368ae57d6d8c00045670b02d8f70e26529353
Instruction ID: 6535587143af36fb16ff2d104a1c1b167b63d15eeaccaf32525b806c1b79453f
Opcode Fuzzy Hash: e93a8781fd79e56bc3cc4993746368ae57d6d8c00045670b02d8f70e26529353
Instruction Fuzzy Hash: 26619874A003098FCB14DF68C894A6ABBF5FF89310F2141ADE956DB7A1CB31E915CB91

Function 00C1C1A0 Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,00C1C2E0,?), ref: 00C1C1EB

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: EnumLanguagesResource
String ID:
API String ID: 4141015960-0
Opcode ID: 4e376ebadf071dc942c555f34290dd2f4c9b518fb0b77bc787f0f1d43c00efc9
Instruction ID: b9fe6a3297d3516f5f15a7b797ed48a7076e5db1e09c0a810f3ca334241b2739
Opcode Fuzzy Hash: 4e376ebadf071dc942c555f34290dd2f4c9b518fb0b77bc787f0f1d43c00efc9
Instruction Fuzzy Hash: BA419D7180020A9BDB10DF98C985BDEBBF8FF45714F10426AF810B7291DB75AA85DBA0

Function 6C605750 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000,B01345AF,00000000,?,?,6C6423A7,6C6449FE,000000FF), ref: 6C6057A2

Part of subcall function 6C5E1FD0: GetProcessHeap.KERNEL32 ref: 6C5E202C

Part of subcall function 6C5E61F0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,00000000,6C6057E3,-00000010,?,6C6423A7,6C6449FE,000000FF), ref: 6C5E6228

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: FindFolderHeapPathProcessResourceSpecial
String ID:
API String ID: 3959041667-0
Opcode ID: ac9844325f23e7ccc20088d4527f0bc206f0b51aa35b68d16440445ed45d9a53
Instruction ID: ecfc60b81ad236023ae11d4c8396edecef57c7085b086b9e590066d8a90d818f
Opcode Fuzzy Hash: ac9844325f23e7ccc20088d4527f0bc206f0b51aa35b68d16440445ed45d9a53
Instruction Fuzzy Hash: CB31BE716002499FDB18DF68C998BEE77B4FF48308F144129E916AB781DB709A08CB99

Function 00ABA840 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00ABA640: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,2E261FC3,?,?,000000A7,?,00000000,00CE3E70,000000FF,?,00ABA850,?), ref: 00ABA696

FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00AD5436,00000000,*.*,?,?,?,?), ref: 00ABA863

Part of subcall function 00ABA700: LoadResource.KERNEL32(00000000,00000000,2E261FC3,00000001,00000000,?,00000000,00CE37A0,000000FF,?,00ABA6AC,?,?,?,000000A7,?), ref: 00ABA72B
Part of subcall function 00ABA700: LockResource.KERNEL32(00000000,?,00ABA6AC,?,?,?,000000A7,?,00000000,00CE3E70,000000FF,?,00ABA850,?,?,000000A7), ref: 00ABA736
Part of subcall function 00ABA700: SizeofResource.KERNEL32(00000000,00000000,?,00ABA6AC,?,?,?,000000A7,?,00000000,00CE3E70,000000FF,?,00ABA850,?,?), ref: 00ABA744

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Resource$Find$LoadLockSizeof
String ID:
API String ID: 3127896203-0
Opcode ID: 8743b2b76d494805fc9c6262b3bf141dd0201b94de566ad72ba2b9e81af4675b
Instruction ID: 708a0ed43fe271027b9c30d886326eb12c68a1c850d81035df3d235bcd67db12
Opcode Fuzzy Hash: 8743b2b76d494805fc9c6262b3bf141dd0201b94de566ad72ba2b9e81af4675b
Instruction Fuzzy Hash: 7B11E371700125AFDB04ABA9C8859BBB3DDEF94310B14807EF541CB242EF75DC2297A2

Function 00ABA640 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00CBBEB9: EnterCriticalSection.KERNEL32(00E00810,?,?,?,00ABA677,00000000,2E261FC3,?,?,000000A7,?,00000000,00CE3E70,000000FF,?,00ABA850), ref: 00CBBEC4
Part of subcall function 00CBBEB9: LeaveCriticalSection.KERNEL32(00E00810,?,?,?,00ABA677,00000000,2E261FC3,?,?,000000A7,?,00000000,00CE3E70,000000FF,?,00ABA850), ref: 00CBBEF0

FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,2E261FC3,?,?,000000A7,?,00000000,00CE3E70,000000FF,?,00ABA850,?), ref: 00ABA696

Part of subcall function 00ABA700: LoadResource.KERNEL32(00000000,00000000,2E261FC3,00000001,00000000,?,00000000,00CE37A0,000000FF,?,00ABA6AC,?,?,?,000000A7,?), ref: 00ABA72B
Part of subcall function 00ABA700: LockResource.KERNEL32(00000000,?,00ABA6AC,?,?,?,000000A7,?,00000000,00CE3E70,000000FF,?,00ABA850,?,?,000000A7), ref: 00ABA736
Part of subcall function 00ABA700: SizeofResource.KERNEL32(00000000,00000000,?,00ABA6AC,?,?,?,000000A7,?,00000000,00CE3E70,000000FF,?,00ABA850,?,?), ref: 00ABA744

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Resource$CriticalSection$EnterFindLeaveLoadLockSizeof
String ID:
API String ID: 529824247-0
Opcode ID: 75f30a2e68c20224a979948f78bc634deeafdc386a3fcf856a5dd8f877675e97
Instruction ID: a9256cbcd55de8909550093b8d376384d7a3fef23c545694e93f6b2d9ccc1824
Opcode Fuzzy Hash: 75f30a2e68c20224a979948f78bc634deeafdc386a3fcf856a5dd8f877675e97
Instruction Fuzzy Hash: 9F113672B046146BD3258B59AC52BBAF3ECE788B64F04027FED06E37C1EB759C008690

Function 00BEC620 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00BEC700: DeleteFileW.KERNEL32(00000000,0000002A,00000000,?,2E261FC3), ref: 00BEC770

RemoveDirectoryW.KERNEL32(00000000,?,2E261FC3,?,?,00000000,2E261FC3,00000000,?,00000000,00D28443,000000FF), ref: 00BEC67E

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: DeleteDirectoryFileRemove
String ID:
API String ID: 3325800564-0
Opcode ID: 493bdc194f810f9a3c30f40f36ae2661224e3aa38f1711df35ce18962dba705b
Instruction ID: eb5a95527e6d5e2b887cc31f229188e9579ed931dc1dea35993d54a5f0a677c0
Opcode Fuzzy Hash: 493bdc194f810f9a3c30f40f36ae2661224e3aa38f1711df35ce18962dba705b
Instruction Fuzzy Hash: 5221B671900254CFCB24DF59D484AAEFBB4FB49720F1446AAEC35AB382DB34AD01CB90

Function 00C3B160 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,2E261FC3,?,?,?,?,?,?,00D17F3D), ref: 00C3B1C4

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4f803bc6c3ba464cf67ad3003cc17e3956bb99936073ad0652fc9c02bdb179cb
Instruction ID: 4a9aae75367668e8af6cfbee8868d07e4351e109df3f5b91b806773f8e12d497
Opcode Fuzzy Hash: 4f803bc6c3ba464cf67ad3003cc17e3956bb99936073ad0652fc9c02bdb179cb
Instruction Fuzzy Hash: 79219271A00209AFCB14DF64C895BAEB7B8FB09710F10456AE926A7390DB707901CB90

Function 00C35310 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,?,00000000,2E261FC3,00000000,2E261FC3), ref: 00C353A6

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: bbb57496676f2f7c71aad7d92fad854e467f8f849bdfbba3c57c28fd314acbe6
Instruction ID: 59a3f52d0efea778b67fdb9b0cba169f85fcde6a64a4682f199b1b6fb06b4de7
Opcode Fuzzy Hash: bbb57496676f2f7c71aad7d92fad854e467f8f849bdfbba3c57c28fd314acbe6
Instruction Fuzzy Hash: ACF0AF71A00A14ABCB10CF19CC44FABB7BDEB49724F004215F821E73D0E7B0A9008AA0

Function 00ABB010 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBE281: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,00000000,80004005,2E261FC3,?), ref: 00CBE2E1

RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID:
API String ID: 3789339297-0
Opcode ID: 84725d2b5258f9353e802e2580532ec540e6f1f1d49aa12fee14209484682d72
Instruction ID: ef182fe813eee309304a9b8ef76e67c34f3526859cc2f1d3ab33f90cd54f6f6b
Opcode Fuzzy Hash: 84725d2b5258f9353e802e2580532ec540e6f1f1d49aa12fee14209484682d72
Instruction Fuzzy Hash: 2FF0EC71A0424CBFC710CF04CC06FAABBADEB04B10F008629B815827A1EB76A900AA64

Function 6C5E1C40 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6C610495: RaiseException.KERNEL32(E06D7363,00000001,00000003,B01345AF,?,?,?,6C60C689,B01345AF,6C68FA6C,?,B01345AF), ref: 6C6104F5

RtlAllocateHeap.NTDLL(00000000,00000000,80004005,B01345AF,00000000,6C62C7D0,000000FF,?,?,6C69046C,80004005,?,6C60586B,80004005,?,6C6423A7), ref: 6C5E1C8A

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID:
API String ID: 3789339297-0
Opcode ID: e00d3514e436e992f86b29f2292d2a79c63ff6eb50d82cf14a5a3813ba3219ea
Instruction ID: 9de8577670a2e7e668f9031a605a7851f6af4b4d4d312c937f85b3d8cdfca945
Opcode Fuzzy Hash: e00d3514e436e992f86b29f2292d2a79c63ff6eb50d82cf14a5a3813ba3219ea
Instruction Fuzzy Hash: 87F0E271504148FFCB048F44CC45F6ABBA8EB09B04F008629F80582B50E736A814CA58

Function 00CD4780 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00CD24EA,?,00CD6733,?,00000000,?,00CC652A,00000000,00CD24EA,?,?,?,?,00CD22E4), ref: 00CD47B2

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 48b80d460e882a1080a0f35368c749120ea17a390ded32948af08018998ce2cc
Instruction ID: 85c0efc6f84db638677910696886233b36669b93815e704dac42b011a0a113b5
Opcode Fuzzy Hash: 48b80d460e882a1080a0f35368c749120ea17a390ded32948af08018998ce2cc
Instruction Fuzzy Hash: 12E06D3110122567E7252A679C41B6A778A9B437A0F1B0123EF28E63D1EB31DE40E1E2

Function 6C5E1CB0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,B01345AF,?,Function_0008C7D0,000000FF), ref: 6C5E1CDF

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: edc3ff0769ec0b35bf7a67cd2450b783269ba1626311a079198a8cc8d2b739ac
Instruction ID: fc69ff1b7b740e58fd2f24004059f91b906e58df0e92af250b9515fbe6581dde
Opcode Fuzzy Hash: edc3ff0769ec0b35bf7a67cd2450b783269ba1626311a079198a8cc8d2b739ac
Instruction Fuzzy Hash: 6FE09275644648BFDB10CF45CC40F26B7B8F709B10F10822AF816D3B80E735E400CA98

Function 00CD2452 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CD2459

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 5662f3f06906cdc57b31227c76c350c71773841777d706bb290b2c91eb82c872
Instruction ID: c6d1a5ae88d733c974c57bc8c2da8893ffcca02243609621deacb1aa45806a3c
Opcode Fuzzy Hash: 5662f3f06906cdc57b31227c76c350c71773841777d706bb290b2c91eb82c872
Instruction Fuzzy Hash: B5E09A72C0020E9EDB01DFD4C452BEFB7B8AB04310F504166A205E7141EB7497499BA1

Function 6C61C303 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C61C30A

Memory Dump Source

Source File: 00000000.00000002.2056796214.000000006C5A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C5A0000, based on PE: true

Associated: 00000000.00000002.2056773051.000000006C5A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056855160.000000006C647000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056893886.000000006C692000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2056917167.000000006C6A1000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c5a0000_e-SPT Masa PPh.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: d55e663e5be771a322f5db729d07b693cf74991fcac0d53478d3c76781c762c3
Instruction ID: eae11952852a18b4321476f93e0be8f5499c48d6657ab79a612d7b37179d8e4c
Opcode Fuzzy Hash: d55e663e5be771a322f5db729d07b693cf74991fcac0d53478d3c76781c762c3
Instruction Fuzzy Hash: FCE01AB2D0020DAEDB00DFD4C541FEFB7B8AB04304F50812AD241F6640EB3497488BE9

Function 00CBC31D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CBC2EC

Part of subcall function 00CB97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00CB97B8
Part of subcall function 00CB97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB9820
Part of subcall function 00CB97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB9831

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 6847fd495b8ab537dd3bf8fcb424f5640fd1811a845a60a7acb56a258e6b3985
Instruction ID: aca11e70dd716452e86b04b99577e60f819cee5d4d5d6068e4edce443c638a20
Opcode Fuzzy Hash: 6847fd495b8ab537dd3bf8fcb424f5640fd1811a845a60a7acb56a258e6b3985
Instruction Fuzzy Hash: 15B012D12691456D320491861C47C77014CD0C4B10B30803FF104F1081EC410C852033

Function 00CBC327 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CBC2EC

Part of subcall function 00CB97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00CB97B8
Part of subcall function 00CB97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB9820
Part of subcall function 00CB97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB9831

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: b915fbb2a9755c59a158c9d7d785bc8bb07eb59206eb3ceea53f37bfe10ed999
Instruction ID: baa0b565ab576bac227d89c2b0976a0c27c64d6e8d3cb3359d7a3429692abdd4
Opcode Fuzzy Hash: b915fbb2a9755c59a158c9d7d785bc8bb07eb59206eb3ceea53f37bfe10ed999
Instruction Fuzzy Hash: 13B012D1269105AD320491961C47C77014CC0C0B10B30C43FF944F1080DC410C453173

Function 00CB8CA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CB8CB2

Part of subcall function 00CB97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00CB97B8
Part of subcall function 00CB97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB9820
Part of subcall function 00CB97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB9831

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 6915fab18144901e7434c53924ef46918e94a83a9da4f40de8f66bbf0a458a18
Instruction ID: ddade023861139f45e7ca19e6cf576ede4857966a98165f0ef5ed4cb88db0ebc
Opcode Fuzzy Hash: 6915fab18144901e7434c53924ef46918e94a83a9da4f40de8f66bbf0a458a18
Instruction Fuzzy Hash: B0B012C126D344BC33041203AD03C7A510CD0D0B11730863BF111F00849C910CC92033

Function 00CB93E2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CB93B5

Part of subcall function 00CB97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00CB97B8
Part of subcall function 00CB97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB9820
Part of subcall function 00CB97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB9831

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: ce052eedaf6840b19a30da88c49332524e2360356b8bc2e1fce550fe4a8e0a84
Instruction ID: b000595f114760b1ce173e952e92aacd14cf3aa2222507c150d551c87b5800c0
Opcode Fuzzy Hash: ce052eedaf6840b19a30da88c49332524e2360356b8bc2e1fce550fe4a8e0a84
Instruction Fuzzy Hash: 86B012C12A82046C730491057C07C7E419CC1D4B10B34C03FF614E00C0DC530C452073

Function 00CB9389 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CB9376

Part of subcall function 00CB97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00CB97B8
Part of subcall function 00CB97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB9820
Part of subcall function 00CB97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB9831

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: bb7d720cab31e15d727923ec5b45863610cc2b739510f3acf2db24e4505e6559
Instruction ID: 9341c45d3393db52f4280be90b49d5d0935f74b9ecf4f428922eece340720c18
Opcode Fuzzy Hash: bb7d720cab31e15d727923ec5b45863610cc2b739510f3acf2db24e4505e6559
Instruction Fuzzy Hash: FDB012D226D2046C724451051C47C7A019CC1D0B20F30853AF300E50C0DC510C893133

Function 00CB93BE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CB93B5

Part of subcall function 00CB97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00CB97B8
Part of subcall function 00CB97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB9820
Part of subcall function 00CB97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB9831

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 63835cfb731d3d30bb1afcb9788f23b4c1a575eea3b79dedf322835d479144b0
Instruction ID: d529026668d221c2ff90cd9260ff5555763da4ccf3e05e964c0ed3111de103aa
Opcode Fuzzy Hash: 63835cfb731d3d30bb1afcb9788f23b4c1a575eea3b79dedf322835d479144b0
Instruction Fuzzy Hash: B7B012C12A93046C330451053C07C7E419CC1C4B10734813EF224F10C0DC530CC52033

Function 00CB9346 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CB92ED

Part of subcall function 00CB97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00CB97B8
Part of subcall function 00CB97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB9820
Part of subcall function 00CB97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB9831

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 30c17650bb0a47ebf0ab5c6eae1e1d529f88ad99142d18ac5e8d28d614b8addc
Instruction ID: ff865c699f59dbbfbef132a18291bfded1b3a8c5e5894b333287669614c11121
Opcode Fuzzy Hash: 30c17650bb0a47ebf0ab5c6eae1e1d529f88ad99142d18ac5e8d28d614b8addc
Instruction Fuzzy Hash: 94B012C1278149BC720451451D47D76024CC0C0B10B30C03AF344E0080DC930C862037

Function 00CB930A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CB92ED

Part of subcall function 00CB97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00CB97B8
Part of subcall function 00CB97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB9820
Part of subcall function 00CB97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB9831

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: f7267294a13bc8dc3793a5bc2c66696363a2712b8396e735e7f1c85714926ffa
Instruction ID: a305987f8298e6510b5bb0641a48dfa3b20854bc5b70afd1276ff9bfc28133d2
Opcode Fuzzy Hash: f7267294a13bc8dc3793a5bc2c66696363a2712b8396e735e7f1c85714926ffa
Instruction Fuzzy Hash: 0EB012C1278209FC720451451C87D76014CC0C0B10B30C03AF644E1080DC510C853033

Function 00CB9300 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CB92ED

Part of subcall function 00CB97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00CB97B8
Part of subcall function 00CB97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB9820
Part of subcall function 00CB97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB9831

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 55d252ede95abb540a05bad74209f22e186e637898fe64a29b3db9dc448e8c47
Instruction ID: ed8a547c6953bd9bfead03aa61d8369766499a21c50dc0961a695bfadf25dbf3
Opcode Fuzzy Hash: 55d252ede95abb540a05bad74209f22e186e637898fe64a29b3db9dc448e8c47
Instruction Fuzzy Hash: B5B012C1278108BC720451551D47D76014CC0C0B10B30C03AF304E0080DC530C8B2033

Function 00CB933C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CB92ED

Part of subcall function 00CB97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00CB97B8
Part of subcall function 00CB97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB9820
Part of subcall function 00CB97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB9831

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 8a30ba0a451fc0b25860f4f69656d0729ddbc43ee28cf496c48147d5837d1451
Instruction ID: ab5c49181a58ff561d7772b333c8fc2eadcc5771aead9dd7d62bc6e800400266
Opcode Fuzzy Hash: 8a30ba0a451fc0b25860f4f69656d0729ddbc43ee28cf496c48147d5837d1451
Instruction Fuzzy Hash: 7BB012C1278108BD720455451C47E76024CC0C0B10B30803AF244E0080DC910C892037

Function 00CB94B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CB946E

Part of subcall function 00CB97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00CB97B8
Part of subcall function 00CB97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB9820
Part of subcall function 00CB97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB9831

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 32d93ffb8606806418cc3a26bceb51801c4014a1c92748fc278ce77c025c02c0
Instruction ID: 4d8677142ed6835cbe487094746619ad7fb781e4bc00c5f042deac84dac1bd7e
Opcode Fuzzy Hash: 32d93ffb8606806418cc3a26bceb51801c4014a1c92748fc278ce77c025c02c0
Instruction Fuzzy Hash: 5FB012D52791446C320451065D17C7B015CC0C5B10B30803AF300E1080DC510C462533

Function 00CB941E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CB93B5

Part of subcall function 00CB97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00CB97B8
Part of subcall function 00CB97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB9820
Part of subcall function 00CB97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB9831

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: caf86cf40b0adb66e438ccd229e11f0ee1f072a096a58e73820d0035823362ce
Instruction ID: a50518a38ec674c0d1188be8193d454c0b7a5f33d8f29d69e91a9679790bafb8
Opcode Fuzzy Hash: caf86cf40b0adb66e438ccd229e11f0ee1f072a096a58e73820d0035823362ce
Instruction Fuzzy Hash: 5FB012C16A82046D330451053D0BC7F419CC1D4B10734803EF254E00C0DC630C463233

Function 00CB9414 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CB93B5

Part of subcall function 00CB97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00CB97B8
Part of subcall function 00CB97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB9820
Part of subcall function 00CB97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB9831

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: c088c8bb7306790c14f74eea479fd05ffb1249f1b50827ff3a22667309a4dac4
Instruction ID: a4156cc0fc3881e7a05d57e3338d2b81ee2262cef86472a471739417a915fc52
Opcode Fuzzy Hash: c088c8bb7306790c14f74eea479fd05ffb1249f1b50827ff3a22667309a4dac4
Instruction Fuzzy Hash: 15B012C16A93046D330461053C0BC7F419CC1C4B10734813EF354E10C0DC530C853133

Function 00C1AD40 Relevance: 1.5, APIs: 1, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4cfcb9e465ac24b8d64ccc5b04370baafd95ea43cc118d95ab632bea4fc609
Instruction ID: adbf330c9fe88e3f58e72282b32ddfd97d06d05270054f55b9375d02e5b2f697
Opcode Fuzzy Hash: dd4cfcb9e465ac24b8d64ccc5b04370baafd95ea43cc118d95ab632bea4fc609
Instruction Fuzzy Hash: 7A710671A012059FDB10DF6CD884BEEFBE4EF46310F144269E828A7381DB75AD41DBA2

Function 00AB9CC0 Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00AB9CCB

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 55fc59ff1851cbe418f85f0104275aec7b2dae0f78b1e8eea29fbc1fa25e6b52
Instruction ID: a08114108dfe788fdcb94756166cad973af437676b30b2714c8c3ab9477bf5d7
Opcode Fuzzy Hash: 55fc59ff1851cbe418f85f0104275aec7b2dae0f78b1e8eea29fbc1fa25e6b52
Instruction Fuzzy Hash: 96C04C756057114BD7305F19BA0878376DC5F05711F054459A459D7A41C774DC508664

Non-executed Functions

Function 00AB3480 Relevance: 437.0, Strings: 347, Instructions: 3218COMMON

Download Yara Rule

Strings

P&, xrefs: 00AB4043
%, xrefs: 00AB3DC3
xP, xrefs: 00AB790D
@, xrefs: 00AB6B43
L, xrefs: 00AB760D
0N, xrefs: 00AB7726
(=, xrefs: 00AB68AE
x(, xrefs: 00AB4510
InstallFinalize, xrefs: 00AB6ED7
x2, xrefs: 00AB5A68
RemoveODBC, xrefs: 00AB4603, 00AB4749, 00AB488F
A, xrefs: 00AB6C29
CostFinalize, xrefs: 00AB3988
PL, xrefs: 00AB7590
(O, xrefs: 00AB77F8
RegisterClassInfo, xrefs: 00AB6424
xF, xrefs: 00AB70BB
K, xrefs: 00AB7496
MsiAssembly, xrefs: 00AB6D86
x;, xrefs: 00AB6738
FileSize, xrefs: 00AB604F
A, xrefs: 00AB6CD5
B, xrefs: 00AB6DB2
xN, xrefs: 00AB775F
8$, xrefs: 00AB3BF0
H<, xrefs: 00AB67EC
AI_ScheduledTasks, xrefs: 00AB7674
87, xrefs: 00AB6399
X", xrefs: 00AB380F
InstallServices, xrefs: 00AB6B48
`:, xrefs: 00AB663F
RegisterComPlus, xrefs: 00AB6AC2
p-, xrefs: 00AB4F8B
MsiConfigureServices, xrefs: 00AB6BCE, 00AB6BF4
P7, xrefs: 00AB63AC
PK, xrefs: 00AB74BF
N, xrefs: 00AB77BF
H:, xrefs: 00AB662C
15000, xrefs: 00AB411E, 00AB4264, 00AB5E5C, 00AB622E, 00AB64B4, 00AB6BE1, 00AB6DF0
UnregisterMIMEInfo, xrefs: 00AB5179
3000000, xrefs: 00AB673D
PatchFiles, xrefs: 00AB60B5
h%, xrefs: 00AB3E6B
XG, xrefs: 00AB717A
(!, xrefs: 00AB3598
(F, xrefs: 00AB706E
P., xrefs: 00AB517E
AI_AppSearchEx, xrefs: 00AB74D7, 00AB74FD
PatchSize, xrefs: 00AB6195
AI_UninstallTasks, xrefs: 00AB73DD
AI_Game, xrefs: 00AB728C, 00AB7480
MIME, xrefs: 00AB51DF, 00AB65C1
AI_UserGroups, xrefs: 00AB7386, 00AB757A
InstallFiles, xrefs: 00AB5F6F
x3, xrefs: 00AB5C82
I, xrefs: 00AB72F1
(+, xrefs: 00AB4ABA
8A, xrefs: 00AB6C3C
K, xrefs: 00AB753C
PublishComponents, xrefs: 00AB6CDA
P@, xrefs: 00AB6B69
PA, xrefs: 00AB6C4F
(, xrefs: 00AB45D5
H;, xrefs: 00AB6712
D, xrefs: 00AB6F4F
(5, xrefs: 00AB600D
PublishComponent, xrefs: 00AB3EC5, 00AB6D00
RemoveFiles, xrefs: 00AB591D, 00AB5A63
h&, xrefs: 00AB408A
@3, xrefs: 00AB5C08
HN, xrefs: 00AB7739
X5, xrefs: 00AB6087
H(, xrefs: 00AB448F
6, xrefs: 00AB6233
1500000, xrefs: 00AB6B5B
(<, xrefs: 00AB67D1
`1, xrefs: 00AB580F
DuplicateFile, xrefs: 00AB583D, 00AB6261
PublishFeatures, xrefs: 00AB6DDD
PJ, xrefs: 00AB73EB
O, xrefs: 00AB7890
01, xrefs: 00AB57A9
RemoveFolders, xrefs: 00AB5B9D
p?, xrefs: 00AB6AAA
H), xrefs: 00AB46C6
AI_UninstallAccounts, xrefs: 00AB72E3
CreateShortcuts, xrefs: 00AB639E
0;, xrefs: 00AB66FF
?, xrefs: 00AB6A66
AppId, xrefs: 00AB4E0D, 00AB644A
:, xrefs: 00AB66B2
800, xrefs: 00AB3AE4
RegisterTypeLibraries, xrefs: 00AB69BF
AI_ProcessGroups, xrefs: 00AB7554
8%, xrefs: 00AB3DFE
(), xrefs: 00AB466E
hC, xrefs: 00AB6E19
@F, xrefs: 00AB7081
AI_UninstallGroups, xrefs: 00AB7360
MoveFiles, xrefs: 00AB5E29
~, xrefs: 00AB70CA
hA, xrefs: 00AB6C62
P8, xrefs: 00AB6489
h8, xrefs: 00AB649C
8J, xrefs: 00AB73D8
p5, xrefs: 00AB60BA
Location, xrefs: 00AB6FB4, 00AB703A
8K, xrefs: 00AB74AC
RemoveIniValues, xrefs: 00AB52BF, 00AB5405
,, xrefs: 00AB4CCC
`O, xrefs: 00AB7829
), xrefs: 00AB47E7
h., xrefs: 00AB51B1
1500, xrefs: 00AB52F2, 00AB5438, 00AB71FC, 00AB7764
UnregisterComPlus, xrefs: 00AB4377
02, xrefs: 00AB59BB
p!, xrefs: 00AB364F
P$, xrefs: 00AB3C23
PB, xrefs: 00AB6D35
RegisterMIMEInfo, xrefs: 00AB659B
7, xrefs: 00AB6432
RemoveExistingProducts, xrefs: 00AB34A4
p#, xrefs: 00AB3A50
Component_, xrefs: 00AB3EF8, 00AB4184, 00AB42CA, 00AB4410, 00AB46C1, 00AB47E2, 00AB4928, 00AB4BBE, 00AB4CFA, 00AB5358, 00AB549E, 00AB55E4, 00AB575E, 00AB5870, 00AB59B6, 00AB5C5B, 00AB5D7C, 00AB5EC2, 00AB6008, 00AB6294, 00AB63D7, 00AB6657, 00AB66DD, 00AB6763, 00AB6866, 00AB68EC, 00AB6972, 00AB69F8, 00AB6AFB, 00AB6B81, 00AB6C02, 00AB6C8D, 00AB6D13
(4, xrefs: 00AB5E02
MsiPublishAssemblies, xrefs: 00AB6D5B
Feature_, xrefs: 00AB3D8B, 00AB4F86, 00AB64D8, 00AB6D97, 00AB6F8D, 00AB7013, 00AB7099, 00AB7133
`(, xrefs: 00AB44C2
8., xrefs: 00AB514B
AI_XmlUninstall, xrefs: 00AB76CB, 00AB7751
09, xrefs: 00AB653F
0C, xrefs: 00AB6DEB
p,, xrefs: 00AB4D79
AI_DownloadPrereq, xrefs: 00AB6F54
7, xrefs: 00AB6386
ServiceInstall, xrefs: 00AB6B6E
p6, xrefs: 00AB62D6
RemoveFile, xrefs: 00AB5AC9
WriteRegistryValues, xrefs: 00AB661E
@, xrefs: 00AB6BEF
@H, xrefs: 00AB723B
X#, xrefs: 00AB3A15
H0, xrefs: 00AB55C0
100000, xrefs: 00AB6EEA
HO, xrefs: 00AB7813
X,, xrefs: 00AB4D52
0:, xrefs: 00AB6619
(P, xrefs: 00AB78CC
H', xrefs: 00AB4269
Complus, xrefs: 00AB43DD, 00AB6AE8
Environment, xrefs: 00AB56F7, 00AB6750
H1, xrefs: 00AB57DC
CreateFolder, xrefs: 00AB5C03, 00AB5D49
CostInitialize, xrefs: 00AB3703
0, xrefs: 00AB56FC
WriteIniValues, xrefs: 00AB66A4
(3, xrefs: 00AB5BD5
x), xrefs: 00AB471B
-, xrefs: 00AB50B9
MoveFile, xrefs: 00AB5E8F
File, xrefs: 00AB38A3, 00AB5983, 00AB5FD5
xO, xrefs: 00AB783C
WriteEnvironmentStrings, xrefs: 00AB672A
P-, xrefs: 00AB4F58
X!, xrefs: 00AB3601
8, xrefs: 00AB6506
AppSearch, xrefs: 00AB35C9, 00AB364A
0D, xrefs: 00AB6EBF
hK, xrefs: 00AB74D2
0', xrefs: 00AB4236
., xrefs: 00AB52C4
RemoveRegistryValues, xrefs: 00AB4B1B, 00AB4C61
IniFile, xrefs: 00AB546B, 00AB66C5
SelfRegModules, xrefs: 00AB6A45
BindImage, xrefs: 00AB6321, 00AB6347
M, xrefs: 00AB76D9
RemoveRegistry, xrefs: 00AB4CC7
UnregisterProgIdInfo, xrefs: 00AB5033
(G, xrefs: 00AB7154
P9, xrefs: 00AB655A
ServiceControl, xrefs: 00AB4151, 00AB4297, 00AB6C7A
TypeLib, xrefs: 00AB69E5
`', xrefs: 00AB429C
UnpublishComponents, xrefs: 00AB3E66
(H, xrefs: 00AB7225
Shortcut, xrefs: 00AB55BB, 00AB63C4
10000, xrefs: 00AB6CED, 00AB78E4
FileCost, xrefs: 00AB383D
`2, xrefs: 00AB5A35
P/, xrefs: 00AB53A4
X6, xrefs: 00AB6299
X?, xrefs: 00AB6A97
p6, xrefs: 00AB62EC
8/, xrefs: 00AB535D
AI_UserAccounts, xrefs: 00AB7309, 00AB75F7
RegisterExtensionInfo, xrefs: 00AB64A1
p", xrefs: 00AB3842
0L, xrefs: 00AB7575
X=, xrefs: 00AB68D4
InstallODBC, xrefs: 00AB682D, 00AB68B3, 00AB6939
E, xrefs: 00AB7035
2000, xrefs: 00AB35FC, 00AB7279, 00AB72F6, 00AB7373, 00AB73F0, 00AB7567, 00AB75E4, 00AB7661
@*, xrefs: 00AB48C7
@>, xrefs: 00AB69A7
/, xrefs: 00AB54EA
ODBCTranslator, xrefs: 00AB47AF, 00AB68D9
86, xrefs: 00AB6266
`3, xrefs: 00AB5C60
AI_CountRowAction, xrefs: 00AB7854
AI_XmlInstall, xrefs: 00AB716C, 00AB71E9
h/, xrefs: 00AB53D7
`F, xrefs: 00AB7094
X>, xrefs: 00AB69BA
HE, xrefs: 00AB6FAF
p@, xrefs: 00AB6B7C
', xrefs: 00AB43AF
HM, xrefs: 00AB765C
UnregisterClassInfo, xrefs: 00AB4DA7
RemoveShortcuts, xrefs: 00AB554B
XI, xrefs: 00AB731F
2, xrefs: 00AB5B3C
`), xrefs: 00AB46E8
@?, xrefs: 00AB6A81
;, xrefs: 00AB6798
8B, xrefs: 00AB6D0E
&, xrefs: 00AB4189
x*, xrefs: 00AB492D
p4, xrefs: 00AB5E94
1, xrefs: 00AB5922
AI_DefaultActionCost, xrefs: 00AB78D1
(>, xrefs: 00AB6994
Options, xrefs: 00AB70C0, 00AB7146
AI_PreRequisite, xrefs: 00AB6F7A, 00AB7000, 00AB7086, 00AB710C
$, xrefs: 00AB3BBD
0E, xrefs: 00AB6F88
pH, xrefs: 00AB7261
`D, xrefs: 00AB6EE5
hL, xrefs: 00AB75A6
HD, xrefs: 00AB6ED2
@+, xrefs: 00AB4AED
RegisterFonts, xrefs: 00AB67B0
Patch, xrefs: 00AB611B
$, xrefs: 00AB3D5D
StopServices, xrefs: 00AB40EB, 00AB4231
Registry, xrefs: 00AB4B81, 00AB6644
AI_ProcessTasks, xrefs: 00AB764E
J, xrefs: 00AB7468
00, xrefs: 00AB5583
C, xrefs: 00AB6E7B
ProcessComponents, xrefs: 00AB3BEB
Font, xrefs: 00AB4A3B, 00AB67D6
200000, xrefs: 00AB6E6D
`N, xrefs: 00AB774C
6000, xrefs: 00AB6631
InstallValidate, xrefs: 00AB3AB1
@5, xrefs: 00AB6054
X4, xrefs: 00AB5E61
9, xrefs: 00AB65D7
xD, xrefs: 00AB6EF8
ODBCDriver, xrefs: 00AB48F5, 00AB695F
100, xrefs: 00AB60E8, 00AB6531, 00AB746D
30000, xrefs: 00AB3D58, 00AB66B7, 00AB6D73
20000, xrefs: 00AB6C67
8, xrefs: 00AB6460
0&, xrefs: 00AB4010
H2, xrefs: 00AB5A02
@", xrefs: 00AB37ED
AI_ChainProductsPseudo, xrefs: 00AB77D7
Extension, xrefs: 00AB4F53, 00AB64C7
8000, xrefs: 00AB450B, 00AB4A08, 00AB67C3, 00AB6A58
120000, xrefs: 00AB557E
#, xrefs: 00AB39AF
p+, xrefs: 00AB4B53
3000, xrefs: 00AB3C1E, 00AB3E92, 00AB3FD8, 00AB43AA, 00AB4B4E, 00AB4C94, 00AB4DDA, 00AB4F20, 00AB5066, 00AB51AC, 00AB56C4, 00AB6437, 00AB65AE, 00AB69D2, 00AB6AD5
hJ, xrefs: 00AB73FE
`<, xrefs: 00AB6802
`E, xrefs: 00AB6FC2
h0, xrefs: 00AB55E9
8I, xrefs: 00AB7304
@G, xrefs: 00AB7167
0M, xrefs: 00AB7649
h$, xrefs: 00AB3C56
pI, xrefs: 00AB7335
AI_GxInstall, xrefs: 00AB7266
J, xrefs: 00AB73C5
8#, xrefs: 00AB39E2
RemoveEnvironmentStrings, xrefs: 00AB5691
x1, xrefs: 00AB5842
`;, xrefs: 00AB6725
AI_InstallPrerequisite, xrefs: 00AB7060
DuplicateFiles, xrefs: 00AB61FB
RemoveDuplicateFiles, xrefs: 00AB57D7
Feature, xrefs: 00AB400B, 00AB6E03
pG, xrefs: 00AB718D
(*, xrefs: 00AB4894
InstallInitialize, xrefs: 00AB6E5A
x=, xrefs: 00AB68E7
SelfUnregModules, xrefs: 00AB44BD
-, xrefs: 00AB4F0D
x<, xrefs: 00AB681A
AI_ProcessAccounts, xrefs: 00AB75D1
1800, xrefs: 00AB717F, 00AB76DE
X*, xrefs: 00AB48FA
MsiUnpublishAssemblies, xrefs: 00AB3D25
ProgId, xrefs: 00AB50B4, 00AB6544
X+, xrefs: 00AB4B20
SelfReg, xrefs: 00AB4523, 00AB6A6B
RegisterProgIdInfo, xrefs: 00AB651E
AI_XmlAttribute, xrefs: 00AB720F, 00AB7777
CreateFolders, xrefs: 00AB5CE3
RemoveIniFile, xrefs: 00AB5325
(", xrefs: 00AB37A1
@P, xrefs: 00AB78DF
AI_XmlElement, xrefs: 00AB7192, 00AB76F1
88, xrefs: 00AB6476
P%, xrefs: 00AB3E31
@4, xrefs: 00AB5E2E
Component, xrefs: 00AB3769, 00AB39DD, 00AB3B28, 00AB3C51
`M, xrefs: 00AB766F
AI_InstallPostPrerequisite, xrefs: 00AB70E6
0(, xrefs: 00AB445C
XP, xrefs: 00AB78F2
xE, xrefs: 00AB6FD5
%, xrefs: 00AB3F77
h7, xrefs: 00AB63BF
<, xrefs: 00AB6861
UnregisterFonts, xrefs: 00AB49D5
ODBCDataSource, xrefs: 00AB4669, 00AB6853
@=, xrefs: 00AB68C1
AI_ExtractPrereq, xrefs: 00AB6FDA
h9, xrefs: 00AB6570
., xrefs: 00AB5118
@!, xrefs: 00AB35CE
12000, xrefs: 00AB4636, 00AB477C, 00AB48C2, 00AB580A, 00AB5950, 00AB5AB1, 00AB5BD0, 00AB5D16, 00AB63B1, 00AB6840, 00AB68C6, 00AB694C
UnregisterExtensionInfo, xrefs: 00AB4F08
8@, xrefs: 00AB6B56
5000, xrefs: 00AB6334
HC, xrefs: 00AB6DFE
@,, xrefs: 00AB4CFF
hB, xrefs: 00AB6D48
XH, xrefs: 00AB724E
p>, xrefs: 00AB69CD
8-, xrefs: 00AB4F25
StartServices, xrefs: 00AB6C54
UnpublishFeatures, xrefs: 00AB3FA5
AI_GxUninstall, xrefs: 00AB745A
500, xrefs: 00AB74E5

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID: #$ $$ %$ ,$ -$ .$ 6$ 7$ 8$ ?$ @$ A$ I$ J$ K$(!$("$()$(*$(+$(3$(4$(5$(<$(=$(>$(F$(G$(H$(O$(P$0&$0'$0($00$01$02$09$0:$0;$0C$0D$0E$0L$0M$0N$100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$8#$8$$8%$8-$8.$8/$800$8000$86$87$88$8@$8A$8B$8I$8J$8K$@!$@"$@*$@+$@,$@3$@4$@5$@=$@>$@?$@F$@G$@H$@P$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$H'$H($H)$H0$H1$H2$H:$H;$H<$HC$HD$HE$HM$HN$HO$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$P$$P%$P&$P-$P.$P/$P7$P8$P9$P@$PA$PB$PJ$PK$PL$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$X!$X"$X#$X*$X+$X,$X4$X5$X6$X=$X>$X?$XG$XH$XI$XP$`'$`($`)$`1$`2$`3$`:$`;$`<$`D$`E$`F$`M$`N$`O$h$$h%$h&$h.$h/$h0$h7$h8$h9$hA$hB$hC$hJ$hK$hL$p!$p"$p#$p+$p,$p-$p4$p5$p6$p6$p>$p?$p@$pG$pH$pI$x($x)$x*$x1$x2$x3$x;$x<$x=$xD$xE$xF$xN$xO$xP$~$$$%$&$'$($)$-$.$/$0$1$2$7$8$9$:$;$<$@$A$B$C$D$E$J$K$L$M$N$O
API String ID: 0-1018976708
Opcode ID: 2f63590983fc469f3a3f040350043140a2a0842cd49cc8b26c76a0d299cb7c77
Instruction ID: b10e9fcebd052bea7433d061ab6b20d040108dc4e41371da678a333eb810ab6c
Opcode Fuzzy Hash: 2f63590983fc469f3a3f040350043140a2a0842cd49cc8b26c76a0d299cb7c77
Instruction Fuzzy Hash: 6B73B560A45385ADD705DB759E1A39E6AA59BA3305F20934CF3403F2E2DBF606CCC7A1

Function 00AE25B3 Relevance: 64.6, APIs: 25, Strings: 11, Instructions: 1650memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

VariantClear.OLEAUT32(?), ref: 00AE2893
VariantClear.OLEAUT32(?), ref: 00AE29D9
VariantClear.OLEAUT32(?), ref: 00AE2A0E
VariantClear.OLEAUT32(?), ref: 00AE2BA3
SysAllocString.OLEAUT32(00000000), ref: 00AE2BB4
VariantClear.OLEAUT32(?), ref: 00AE2BFE
VariantClear.OLEAUT32(?), ref: 00AE2C27
SysFreeString.OLEAUT32(00000000), ref: 00AE2C32
VariantClear.OLEAUT32(?), ref: 00AE2D45
VariantClear.OLEAUT32(?), ref: 00AE2D7A
VariantClear.OLEAUT32(?), ref: 00AE2DD4
VariantClear.OLEAUT32(?), ref: 00AE2E93
VariantClear.OLEAUT32(?), ref: 00AE2861

Part of subcall function 00ABA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00AD5436,00000000,*.*,?,?,?,?), ref: 00ABA863

VariantClear.OLEAUT32(?), ref: 00AE2978
VariantClear.OLEAUT32(?), ref: 00AE29A4
VariantClear.OLEAUT32(?), ref: 00AE300A
SysAllocString.OLEAUT32(00000000), ref: 00AE301B
VariantClear.OLEAUT32(?), ref: 00AE3065
VariantClear.OLEAUT32(?), ref: 00AE308E
SysFreeString.OLEAUT32(00000000), ref: 00AE3099
VariantClear.OLEAUT32(?), ref: 00AE319C
VariantClear.OLEAUT32(?), ref: 00AE31F3
VariantClear.OLEAUT32(?), ref: 00AE321C
SysFreeString.OLEAUT32(00000000), ref: 00AE322A

Part of subcall function 00ABB010: RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

Strings

MsiGetBytesCountText, xrefs: 00AE38C2
MessageBox, xrefs: 00AE3803
MsiGetBinaryPathIndirect, xrefs: 00AE3685
MsiGetProperty, xrefs: 00AE3389
MsiPublishEvents, xrefs: 00AE3744
MsiGetBinaryPath, xrefs: 00AE35C6
MsiEvaluateCondition, xrefs: 00AE3448
MsiGetFormattedError, xrefs: 00AE3981
MsiResolveFormatted, xrefs: 00AE3507
MsiSetProperty, xrefs: 00AE32D0
GetFontHeight, xrefs: 00AE3A40

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ClearVariant$String$Free$AllocHeap$AllocateFindProcessResource
String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
API String ID: 2653467708-3153392536
Opcode ID: b18d2934a97c67fc851488393861216a972ddb40623942fd3e294ae074d804e9
Instruction ID: 33b7c8ca279cef2778eb1f1673af87e52e4f19331e248af0a8de6db787cd552c
Opcode Fuzzy Hash: b18d2934a97c67fc851488393861216a972ddb40623942fd3e294ae074d804e9
Instruction Fuzzy Hash: A7E2A071D00248DFDB14DFA9C888BEEBBB5FF48310F248259E415A7391EB74AA85CB51

Function 00AD2C40 Relevance: 26.1, APIs: 17, Instructions: 596windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00AD2C7C
GetWindowLongW.USER32(?,000000EB), ref: 00AD2D15
ShowWindow.USER32(?,00000000), ref: 00AD2D34
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00AD2D42
GetWindowRect.USER32(?,?), ref: 00AD2D59
ShowWindow.USER32(?,00000000), ref: 00AD2D7A
SetWindowLongW.USER32(00000000,000000EB,?), ref: 00AD2D91

Part of subcall function 00ABB010: RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

GetClientRect.USER32(?,?), ref: 00AD2E88
ShowWindow.USER32(?,?,?,00000000), ref: 00AD2F3D
GetWindowLongW.USER32(?,000000EB), ref: 00AD2F71
ShowWindow.USER32(?,?,?,00000000), ref: 00AD2F8F
GetWindowRect.USER32(?,?), ref: 00AD2FB9
IsWindowVisible.USER32(?), ref: 00AD311E
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00AD3148
GetWindowRect.USER32(?,?), ref: 00AD31F9
GetWindowRect.USER32(?,?), ref: 00AD3244
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00AD3282

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Window$Rect$LongShow$ClientMessageSend$AllocateHeapVisible
String ID:
API String ID: 1979148354-0
Opcode ID: df8ac6860bafd34ed3f73a054e8c04b745a54b456a26b3de1c86abf8b82ce064
Instruction ID: e0357e8586c3bedd3a72512abd8bb01fc6f0c375ef1064b494ca478613ad1ca4
Opcode Fuzzy Hash: df8ac6860bafd34ed3f73a054e8c04b745a54b456a26b3de1c86abf8b82ce064
Instruction Fuzzy Hash: 6A326871A04309AFCB14CF68D984AAEBBF5BF98310F14455EF846A7360DB30E945CB92

Function 00AF2970 Relevance: 22.1, APIs: 5, Strings: 7, Instructions: 1106stringsleepCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,msix,00000004,?,?,?,?, ?(-|/)+q,00D79366,?), ref: 00AF2DD3
lstrcmpiW.KERNEL32(?,?,msixbundle,0000000A,msix,00000004,?,?,?,?, ?(-|/)+q,00D79366,?), ref: 00AF2F53
std::_Throw_Cpp_error.LIBCPMT ref: 00AF35AB

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?, ?(-|/)+q,00D79366,?), ref: 00AF3507

Part of subcall function 00AD4AD0: FindClose.KERNEL32(00000000), ref: 00AD4C1F

Part of subcall function 00BF18D0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,2E261FC3,?,00000000), ref: 00BF191B
Part of subcall function 00BF18D0: GetLastError.KERNEL32(?,00000000), ref: 00BF1925

std::_Throw_Cpp_error.LIBCPMT ref: 00AF3877

Strings

msix, xrefs: 00AF2CA1
?(-|/)+q, xrefs: 00AF2B0C
appx, xrefs: 00AF2F6E
Launch failed. Error:, xrefs: 00AF3356
msixbundle, xrefs: 00AF2DF2
Return code of launched file:, xrefs: 00AF3452
Launching file:, xrefs: 00AF2A2B

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Cpp_errorThrow_lstrcmpistd::_$CloseErrorFindFormatHeapLastMessageProcessSleep
String ID: ?(-|/)+q$Launch failed. Error:$Launching file:$Return code of launched file:$appx$msix$msixbundle
API String ID: 2536901295-140134217
Opcode ID: 9c2e12ac3a66d04b396a72206fcc7ec9246c0136ff37903515a3bb1cb5795466
Instruction ID: a782c428fe1471947df510d9612cba0bb595bb987b5f2512b80f8fb39342db56
Opcode Fuzzy Hash: 9c2e12ac3a66d04b396a72206fcc7ec9246c0136ff37903515a3bb1cb5795466
Instruction Fuzzy Hash: BFA2CE71D00218CFDF24DFA8C855BEDB7B1AF45314F248299E919AB281DB70AE85CF91

Function 00BFCDF0 Relevance: 19.8, APIs: 3, Strings: 8, Instructions: 539fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

FindFirstFileW.KERNEL32(?,?,00000000,00000000), ref: 00BFD2C1
FindClose.KERNEL32(00000000), ref: 00BFD2F5
FindClose.KERNEL32(00000000), ref: 00BFD3A1

Strings

No acceptable version found., xrefs: 00BFD956
No acceptable version found. It must be downloaded manually from a site., xrefs: 00BFD941
No acceptable version found. It is already downloaded and it will be installed., xrefs: 00BFD94F
No acceptable version found. It must be installed from package., xrefs: 00BFD933
No acceptable version found. It must be downloaded., xrefs: 00BFD93A
No acceptable version found. Operating System not supported., xrefs: 00BFD948
An acceptable version was found., xrefs: 00BFD92C
Not selected for install., xrefs: 00BFD95D

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Find$Close$FileFirstHeapProcess
String ID: An acceptable version was found.$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.
API String ID: 4254541338-749633484
Opcode ID: 9b4b5f74317ceafcfd1e16b140c59d87b87bc65f5783cd6a3425d91a4c67535d
Instruction ID: 2f20d7a4435d654bb66a29c2acf399fc586abbca020cb7dfae8a2ce26aadbeb4
Opcode Fuzzy Hash: 9b4b5f74317ceafcfd1e16b140c59d87b87bc65f5783cd6a3425d91a4c67535d
Instruction Fuzzy Hash: DA227034A006198FCB14DF68C8986AEBBF5FF4A310F1445AED915A7381DB74AE09CF91

Function 00BCA0D0 Relevance: 19.7, APIs: 13, Instructions: 170windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001036,00010000,00000000), ref: 00BCA148
GetParent.USER32(00000000), ref: 00BCA1B4
GetWindowRect.USER32(00000000), ref: 00BCA1BB
GetParent.USER32(00000000), ref: 00BCA1CA
GetDC.USER32(00000000), ref: 00BCA1D1
CreateCompatibleDC.GDI32(00000000), ref: 00BCA22F
CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 00BCA248
SelectObject.GDI32(?,00000000), ref: 00BCA259
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00BCA272

Part of subcall function 00B7CBA0: IsWindowVisible.USER32(?), ref: 00B7CC23
Part of subcall function 00B7CBA0: GetWindowRect.USER32(?,?), ref: 00B7CC3B
Part of subcall function 00B7CBA0: GetWindowRect.USER32(?,?), ref: 00B7CC53
Part of subcall function 00B7CBA0: IntersectRect.USER32(?,?,?), ref: 00B7CC70
Part of subcall function 00B7CBA0: EqualRect.USER32(?,?), ref: 00B7CC80
Part of subcall function 00B7CBA0: GetSysColorBrush.USER32(0000000F), ref: 00B7CC97

FillRect.USER32(?,?,00000000), ref: 00BCA288
DeleteDC.GDI32(?), ref: 00BCA2A8
SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 00BCA2C6
SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 00BCA2DD

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Rect$Window$MessageSend$CompatibleCreateParent$BitmapBrushColorDeleteEqualFillIntersectObjectPointsSelectVisible
String ID:
API String ID: 2161025992-0
Opcode ID: 601733ca7a76da7a18a74e3e015067f47926ae389fc990c67d4efccde45e510f
Instruction ID: 4e8254526bb98d0395ff9752eb94f30dc88e7ea5d6e49536a410a41d65befb87
Opcode Fuzzy Hash: 601733ca7a76da7a18a74e3e015067f47926ae389fc990c67d4efccde45e510f
Instruction Fuzzy Hash: 5F614575D00318AFDB10CFA5C849BAEBBB9FF49310F14422AE815B7390DB756985CB91

Function 00AC7600 Relevance: 18.5, APIs: 12, Instructions: 453nativememoryCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(80070216,000000EC), ref: 00AC784B
GetWindowLongW.USER32(00000000,000000EC), ref: 00AC785B
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 00AC786A
NtdllDefWindowProc_W.NTDLL(00000000,?,2E261FC3,80070216,2E261FC3,00000000,?,?,?,80070216,2E261FC3,?), ref: 00AC787A
GetWindowLongW.USER32(00000000,000000EB), ref: 00AC7888
NtdllDefWindowProc_W.NTDLL(00000000,?,2E261FC3,80070216,?,?,80070216,2E261FC3,?), ref: 00AC78B3
SetWindowTextW.USER32(00000000,00D74720), ref: 00AC793E
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00AC796F
GlobalLock.KERNEL32(00000000), ref: 00AC797D
GlobalUnlock.KERNEL32(?), ref: 00AC79CF
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00AC7A45
NtdllDefWindowProc_W.NTDLL(00000000,?,2E261FC3,00000000), ref: 00AC7AAB

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Window$Long$GlobalNtdllProc_$AllocLockTextUnlock
String ID:
API String ID: 950861903-0
Opcode ID: 9031e4f25b1cb2548d03f65b1aa0d9be7b74781aa10aed67ef2a5f730e505527
Instruction ID: b085d34c53db2f60fea8ce9b51b7011a707e3170894fa47b0986488b30e6d894
Opcode Fuzzy Hash: 9031e4f25b1cb2548d03f65b1aa0d9be7b74781aa10aed67ef2a5f730e505527
Instruction Fuzzy Hash: EDF1BA71A042099FDB10DF69CC88FAEBBB9EF89310F15412DE915E7290DB359E00CBA1

Function 00BCA930 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 389windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00BCAC01
RedrawWindow.USER32(?,00000000,00000000,00000541), ref: 00BCAC13
SendMessageW.USER32(?,00000443,00000000), ref: 00BCAC75
GetDC.USER32(00000000), ref: 00BCAC99
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BCACA4
MulDiv.KERNEL32(?,00000000), ref: 00BCACAC
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 00BCACD1

Strings

NumberValidationTipTitle, xrefs: 00BCA9CB
NumberValidationTipMsg, xrefs: 00BCAACD
Segoe UI, xrefs: 00BCAC83

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Window$CapsCreateDeviceFontMessageRedrawSend
String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
API String ID: 367477953-2319862951
Opcode ID: e22576f7a617ccc5ee8bd8bd408b9d31b0955124cb5bd3db9908537f255f2ca6
Instruction ID: caa1e7ef5e489f2ecda1c4ad32febe533bb534bfdc77654cf1cde0f414ffb7c8
Opcode Fuzzy Hash: e22576f7a617ccc5ee8bd8bd408b9d31b0955124cb5bd3db9908537f255f2ca6
Instruction Fuzzy Hash: 38E1CF31A006199FDB18CF24CC59BEEB7B6FF89300F108299E516A72D1DB746A45CB91

Function 00BD3300 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 286fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000), ref: 00BD33FF
CloseHandle.KERNEL32(00000000), ref: 00BD3429
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?), ref: 00BD346A
CloseHandle.KERNEL32(?), ref: 00BD34DD
ShellExecuteExW.SHELL32 ref: 00BD3578

Strings

open, xrefs: 00BD350A
runas, xrefs: 00BD355D
EXE, xrefs: 00BD3356
.bat, xrefs: 00BD3351

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CloseFileHandle$CreateExecuteShellWrite
String ID: .bat$EXE$open$runas
API String ID: 548387358-1492471297
Opcode ID: 89e51e6cc151723346ead7833d8609c7cd3c845f106b8b02717520086c09a4a2
Instruction ID: a61e3e71f3334b767df3462e148a69e81049e637861a7ff1d772b19515c543e8
Opcode Fuzzy Hash: 89e51e6cc151723346ead7833d8609c7cd3c845f106b8b02717520086c09a4a2
Instruction Fuzzy Hash: FFB1BE30A00648DFDB10DFA8C998BADBBF5FF49314F148299E415A7392DB74AA05CF51

Function 00AEF5B0 Relevance: 14.9, APIs: 1, Strings: 7, Instructions: 931windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AEF604

Strings

' AND `Control_`=', xrefs: 00AEF794
AiTabPage, xrefs: 00AEF817, 00AEF961
SpawnDialog, xrefs: 00AEFCDD
Title, xrefs: 00AEFD73
`Dialog_`=', xrefs: 00AEF74B
ControlEvent, xrefs: 00AEF885
Dialog, xrefs: 00AEFDB2, 00AEFDDA, 00AEFF75, 00AEFF9F, 00AEFFC7

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: MessageSend
String ID: ' AND `Control_`='$AiTabPage$ControlEvent$Dialog$SpawnDialog$Title$`Dialog_`='
API String ID: 3850602802-1412757306
Opcode ID: 902638b2ab186e611052f6fc92e4f1150e1f96dd5e6cb7e8dec2a241e7f9dbe0
Instruction ID: 12f4a0056687c19710bf22edd4713f502d67dd12032b1bcc95414a76a26f67d8
Opcode Fuzzy Hash: 902638b2ab186e611052f6fc92e4f1150e1f96dd5e6cb7e8dec2a241e7f9dbe0
Instruction Fuzzy Hash: D6829E71D00258CFCB14DFA8C998BEEBBB5FF49304F244259E405A7392DB74AA85CB90

Function 00AB1490 Relevance: 13.9, Strings: 11, Instructions: 186COMMON

Download Yara Rule

Strings

AI_CF_FRAME_BASE_COLOR, xrefs: 00AB14CC
AI_CF_CLOSEBTN_COLORS, xrefs: 00AB16FC
AI_CF_FRAME_CAPTION2_COLORS, xrefs: 00AB150A
AI_CF_MINBTN_BORDER_COLORS, xrefs: 00AB16C9
AI_CF_FRAME_BORDER2_COLORS, xrefs: 00AB1612
AI_CF_MINBTN_BASE_COLOR, xrefs: 00AB154C
AI_CF_MINBTN_COLORS, xrefs: 00AB1696
AI_CF_FRAME_BORDER1_COLORS, xrefs: 00AB15D0
AI_CF_CLOSEBTN_BASE_COLOR, xrefs: 00AB158E
AI_CF_FRAME_BORDER3_COLORS, xrefs: 00AB1665
AI_CF_CLOSEBTN_BORDER_COLORS, xrefs: 00AB172F

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID: AI_CF_CLOSEBTN_BASE_COLOR$AI_CF_CLOSEBTN_BORDER_COLORS$AI_CF_CLOSEBTN_COLORS$AI_CF_FRAME_BASE_COLOR$AI_CF_FRAME_BORDER1_COLORS$AI_CF_FRAME_BORDER2_COLORS$AI_CF_FRAME_BORDER3_COLORS$AI_CF_FRAME_CAPTION2_COLORS$AI_CF_MINBTN_BASE_COLOR$AI_CF_MINBTN_BORDER_COLORS$AI_CF_MINBTN_COLORS
API String ID: 0-1938184520
Opcode ID: 45caf0f1fb0038c1e0588be0c33d6d70e023578bbd6b636efbc41fc9f1830020
Instruction ID: fa693d5bf856bff18dbb0a119c8a89668524445b1adc11810c2dabeb92f3297a
Opcode Fuzzy Hash: 45caf0f1fb0038c1e0588be0c33d6d70e023578bbd6b636efbc41fc9f1830020
Instruction Fuzzy Hash: C4A1FC70D4535CDAEB50CF65C9597DEBBB4AB26308F1082C9E4483B282EBB916C8DF51

Function 00AE4C80 Relevance: 12.9, APIs: 5, Strings: 2, Instructions: 636windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00AE4D6B

Part of subcall function 00CBCAB5: AcquireSRWLockExclusive.KERNEL32(00E00888,?,?,?,00ABB446,00E0149C,2E261FC3,?,?,00CE3F6D,000000FF,?,00C348BD,2E261FC3,?), ref: 00CBCAC0
Part of subcall function 00CBCAB5: ReleaseSRWLockExclusive.KERNEL32(00E00888,?,?,00ABB446,00E0149C,2E261FC3,?,?,00CE3F6D,000000FF,?,00C348BD,2E261FC3,?), ref: 00CBCAFA

Part of subcall function 00CBCA64: AcquireSRWLockExclusive.KERNEL32(00E00888,?,?,00ABB4B7,00E0149C,00D47860), ref: 00CBCA6E
Part of subcall function 00CBCA64: ReleaseSRWLockExclusive.KERNEL32(00E00888,?,?,00ABB4B7,00E0149C,00D47860), ref: 00CBCAA1
Part of subcall function 00CBCA64: WakeAllConditionVariable.KERNEL32(00E00884,?,?,00ABB4B7,00E0149C,00D47860), ref: 00CBCAAC

SendMessageW.USER32(?,0000104D,00000000,?), ref: 00AE525E
SendMessageW.USER32(?,0000102B,?,0000000F), ref: 00AE530C
SendMessageW.USER32(?,00001003,00000001,?), ref: 00AE53B3

Part of subcall function 00BE2A80: __cftof.LIBCMT ref: 00BE2AD0

SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 00AE5566

Strings

Icon, xrefs: 00AE50B2
AiFeatIco, xrefs: 00AE4FEB

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: MessageSend$ExclusiveLock$AcquireRelease$ConditionVariableWake__cftof
String ID: AiFeatIco$Icon
API String ID: 1739475930-1280411655
Opcode ID: 0ece207eb5ff790970dbea8bbb04a8e0dd034faecc71df6d0ff8b0a1c279b4b4
Instruction ID: aeb2e6bca75538419def18a49e8e59b8fe74a856a93d8b685e4424472e16c937
Opcode Fuzzy Hash: 0ece207eb5ff790970dbea8bbb04a8e0dd034faecc71df6d0ff8b0a1c279b4b4
Instruction Fuzzy Hash: 1C527A70D00698DFDB24DF68CD88BEEBBB5AF49304F144199E44AAB291DB746E84CF50

Function 00ADAF20 Relevance: 11.2, APIs: 2, Strings: 4, Instructions: 705COMMON

Download Yara Rule

Strings

AI_CONTROL_VISUAL_STYLE, xrefs: 00ADAF7A
AI_NO_BORDER_HOVER, xrefs: 00ADB0CA
AI_NO_BORDER_NORMAL, xrefs: 00ADB015
AI_CONTROL_VISUAL_STYLE_EX, xrefs: 00ADB3E5

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
API String ID: 0-932585912
Opcode ID: e2c6284e4343f7e349544f8257d0bf5adfc39705119d3ef67701921cc05e3de8
Instruction ID: 3097dffd77ebad1f4bb9cb372db452bd76a0bc2e8012b9a01a71a3d2cd0123c6
Opcode Fuzzy Hash: e2c6284e4343f7e349544f8257d0bf5adfc39705119d3ef67701921cc05e3de8
Instruction Fuzzy Hash: 78421571D10218CFDB18DF68C894BEEB7B1FF85300F10825AE456AB792D774AA45CBA1

Function 00CDE4BF Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00CDE6A3

Strings

1#QNAN, xrefs: 00CDE5D2
1#SNAN, xrefs: 00CDE5CB
1#INF, xrefs: 00CDE5F5
1#IND, xrefs: 00CDE5C4

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 782ce0a13a1e59a78f8d9e3bb78b24832a4194a5d1dbd1c148d4145e2701f841
Instruction ID: a6130dc45f7787b0b29c001127debbb805c14570461a6e43cd03c5310c247eb8
Opcode Fuzzy Hash: 782ce0a13a1e59a78f8d9e3bb78b24832a4194a5d1dbd1c148d4145e2701f841
Instruction Fuzzy Hash: 14D20671E082298BDB65DE28DD407EAB7B5FB44304F1441EBD95EE7240E774AE828F41

Function 00C23270 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 465COMMON

Download Yara Rule

APIs

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 00C234B0
GetDriveTypeW.KERNEL32(?), ref: 00C234CA
Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00C23573
Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00C23816

Strings

]%!, xrefs: 00C23448

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Wow64$DriveRedirection$DisableHeapLogicalProcessRevertStringsType
String ID: ]%!
API String ID: 4157823300-1069524040
Opcode ID: c946968d081a7e72c58db05c1e8297b3a5f3728d3268905baccd4a3463d0b72f
Instruction ID: 8c085d4738f594c0a1050a6ffcd4a0eb669a8bf2234ec768a906363cc2a72ff6
Opcode Fuzzy Hash: c946968d081a7e72c58db05c1e8297b3a5f3728d3268905baccd4a3463d0b72f
Instruction Fuzzy Hash: 5502F270A002A98FDB25DF28CC94BADB7B5AF44310F1485E9E41AA7381DB749F85CF90

Function 00CBC11D Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00CBC039,00000000,?,00CBC1D1,?,?,?,?), ref: 00CBC11F
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,?,?,?), ref: 00CBC146
HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 00CBC14D
InitializeSListHead.KERNEL32(00000000,?,?,?,?), ref: 00CBC15A
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?), ref: 00CBC16F
HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00CBC176

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: a70c55f8d75a4ec60f7b75f37016183f4197be50256005e5d9ff53796ce24632
Instruction ID: 78a60a516a7d5ca95de7672ba0f485432536bf8bb0f972e18e88ccde7284ece1
Opcode Fuzzy Hash: a70c55f8d75a4ec60f7b75f37016183f4197be50256005e5d9ff53796ce24632
Instruction Fuzzy Hash: 0CF0AF79601301AFD7219F7AAC98B4BB7E8AB96712F040428F951E3354DA71C841D670

Function 00CD48D3 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00CD4960

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 635b9f6bd803fd70b0e04c90b766b330aa7b2467b28e186e98b998926a69e594
Instruction ID: b96919a1c59d34a5655fee62d2d47fb0a74c41bbd128d15a3188a53f5b580c79
Opcode Fuzzy Hash: 635b9f6bd803fd70b0e04c90b766b330aa7b2467b28e186e98b998926a69e594
Instruction Fuzzy Hash: 41B18832900685AFDB19CF68C891BEEBBE5EF55300F14816BEB54AB341D234DE01DBA0

Function 00C24620 Relevance: 6.2, APIs: 4, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a1c9835ed71b72887cc20f13f234616dd0d4ca704e3ed139d6b955bfee0a61
Instruction ID: 8ee75c4506d9eada80b88c3f8a975554975a914c7f56acb692e8e002e2a82dab
Opcode Fuzzy Hash: c3a1c9835ed71b72887cc20f13f234616dd0d4ca704e3ed139d6b955bfee0a61
Instruction Fuzzy Hash: 6D919E749012189FDB14DF28DC497A9BBB4EF09324F1482D9E429A73D2DB709E44CF91

Function 00AD8F00 Relevance: 6.1, APIs: 4, Instructions: 87timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(00000003,00000001,2E261FC3,?,?,?,?,00CE9F74,000000FF), ref: 00AD8F41
GetWindowLongW.USER32(00000003,000000FC), ref: 00AD8F56
SetWindowLongW.USER32(00000003,000000FC,?), ref: 00AD8F68
DeleteCriticalSection.KERNEL32(?,2E261FC3,?,?,?,?,00CE9F74,000000FF), ref: 00AD8F93

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: LongWindow$CriticalDeleteKillSectionTimer
String ID:
API String ID: 1032004442-0
Opcode ID: e13f31a61f2e2a151480309b6554babce1338018043f6b1c382334f1758f865e
Instruction ID: 0f54aace416c90f4954d9e494d518e348fadd710ed4f71a4d5d064659a7ec504
Opcode Fuzzy Hash: e13f31a61f2e2a151480309b6554babce1338018043f6b1c382334f1758f865e
Instruction Fuzzy Hash: 2D31C0B0904345AFCB10DF69CC44B9ABBB5BF05310F14426AE815E3791DB76E914DB90

Function 00C24AA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 195fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,00000010), ref: 00C24B5C
FindClose.KERNEL32(00000000), ref: 00C24CDF

Part of subcall function 00ABB010: RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

Strings

%d.%d.%d.%d, xrefs: 00C24C58

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID: %d.%d.%d.%d
API String ID: 1673784098-3491811756
Opcode ID: 986e6502e822ab7dfb5f09a8afb6ab60f5c19bdba8d2876370b8e5596dd9095e
Instruction ID: 8ea12af53e8f95437eda9dc326c5507f8be6654de3b3f831a9bba5c12289f135
Opcode Fuzzy Hash: 986e6502e822ab7dfb5f09a8afb6ab60f5c19bdba8d2876370b8e5596dd9095e
Instruction Fuzzy Hash: 8D717A74905229DFCF24DF68CC48BADBBB5EF44314F108299E419AB391DB759A84CF90

Function 00AEE370 Relevance: 5.4, Strings: 4, Instructions: 378COMMON

Download Yara Rule

Strings

<> ", xrefs: 00AEE491
= ", xrefs: 00AEE6A8
Show, xrefs: 00AEE670
Hide, xrefs: 00AEE434, 00AEE455

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID: <> "$ = "$Hide$Show
API String ID: 0-289022205
Opcode ID: c30a9f4074354471ab5062c91c13ce87993adbf727fbc5b0793ed835359e18a9
Instruction ID: 0a97c44adb22d6b90a5c5f0f49bed111d20a5238744569a2f5e85d26e764b067
Opcode Fuzzy Hash: c30a9f4074354471ab5062c91c13ce87993adbf727fbc5b0793ed835359e18a9
Instruction Fuzzy Hash: 43026A70D00299CFDB24DF68C955BEDB7B4AF55304F1085D9E00AA7292EB716E84CFA0

Function 00C1C310 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

GetLocaleInfoW.KERNEL32(00000000,00000002,00D74720,00000000), ref: 00C1C391
GetLocaleInfoW.KERNEL32(00000000,00000002,?,-00000001,00000078,-00000001), ref: 00C1C3CD

Strings

%d-%s, xrefs: 00C1C3D7

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: InfoLocale$HeapProcess
String ID: %d-%s
API String ID: 3246605784-1781338863
Opcode ID: 2db75e6918298d0be922de0949c031ea997e180e25dad8d0813de2bd896095dd
Instruction ID: 8acae675ff767915f4c870f38f5599c35da9c8b369c9af009372a3195e357634
Opcode Fuzzy Hash: 2db75e6918298d0be922de0949c031ea997e180e25dad8d0813de2bd896095dd
Instruction Fuzzy Hash: 8931AB72A00209AFCB04DF98CC5ABAEFBB9FB49324F10415DF525A7391DB756900DBA0

Function 00ADF010 Relevance: 5.3, Strings: 4, Instructions: 337COMMON

Download Yara Rule

Strings

MultipleInstancesProps, xrefs: 00ADF150
ProductCode, xrefs: 00ADF2C8, 00ADF315, 00ADF316
MultipleInstances, xrefs: 00ADF052
OldProductCode, xrefs: 00ADF34D, 00ADF37F, 00ADF39F, 00ADF3A0

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID: MultipleInstances$MultipleInstancesProps$OldProductCode$ProductCode
API String ID: 0-469785651
Opcode ID: 078def3aa2fd879fda415e1e4da3b36acc1ab47c4b05745c19ad4f35b565f9f4
Instruction ID: 00d44a6f6e9c2aca60f2b11c2fe571cc67278b7bea52b9c3ebbefa79642adfa8
Opcode Fuzzy Hash: 078def3aa2fd879fda415e1e4da3b36acc1ab47c4b05745c19ad4f35b565f9f4
Instruction Fuzzy Hash: 24C1C13AA00211DFCB18DF68C9946BBB7B2FF95304B15416AE9136F345EB31AD42CB90

Function 00CB95F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00CB9538,0000001C,00CB972D,00000000,?,?,?,?,?,?,?,00CB9538,00000004,00E00394,00CB97BD), ref: 00CB9604
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00CB9538,00000004,00E00394,00CB97BD), ref: 00CB961F

Strings

D, xrefs: 00CB9613

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 54cbcf10981582540f7b1fabb0fd4f1404db58c74a39d5fb41f21c23f1378c66
Instruction ID: ff66d1863520a4adc44d8205cf683c25d82d1258c66166486b905da1092fdbd9
Opcode Fuzzy Hash: 54cbcf10981582540f7b1fabb0fd4f1404db58c74a39d5fb41f21c23f1378c66
Instruction Fuzzy Hash: B701A776A006096BDF24DE29DC09BDE7BAAEFC5334F0CC125BE69D7254EA34DD018690

Function 00BD0370 Relevance: 4.7, APIs: 3, Instructions: 172fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,2E261FC3,?,?), ref: 00BD042F
FindNextFileW.KERNEL32(000000FF,00000010), ref: 00BD053A
FindClose.KERNEL32(000000FF), ref: 00BD0595

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b2834710a44a7e9530c4aee3af3f323cabcd16324a93682dd6b06a4f773922a9
Instruction ID: fed246379284da70887e9535a119dc45e0032594fb4df74d0f515300b87a9b43
Opcode Fuzzy Hash: b2834710a44a7e9530c4aee3af3f323cabcd16324a93682dd6b06a4f773922a9
Instruction Fuzzy Hash: 3E619B70911218DFCF24EF64C899BEEBBB8EF54314F14419AD409A3292EB746E84CF51

Function 00AD2700 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 00AD275B
GetWindowLongW.USER32(00000004,000000FC), ref: 00AD2774
SetWindowLongW.USER32(00000004,000000FC,?), ref: 00AD2786

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: a30579a36fe32df8bda9eedcb53a1b475eb02d8f6a87fefaf11fa4bd3392433b
Instruction ID: ba6bec853191f5a6a5063205e0bf6db2aaed5257f49bf54f9568214cd0c42b89
Opcode Fuzzy Hash: a30579a36fe32df8bda9eedcb53a1b475eb02d8f6a87fefaf11fa4bd3392433b
Instruction Fuzzy Hash: D641ADB0600716AFDB10CF65C948B5AFBB4FF04310F044269E425D7790DB76E918DB91

Function 00ABA700 Relevance: 4.6, APIs: 3, Instructions: 65COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,2E261FC3,00000001,00000000,?,00000000,00CE37A0,000000FF,?,00ABA6AC,?,?,?,000000A7,?), ref: 00ABA72B
LockResource.KERNEL32(00000000,?,00ABA6AC,?,?,?,000000A7,?,00000000,00CE3E70,000000FF,?,00ABA850,?,?,000000A7), ref: 00ABA736
SizeofResource.KERNEL32(00000000,00000000,?,00ABA6AC,?,?,?,000000A7,?,00000000,00CE3E70,000000FF,?,00ABA850,?,?), ref: 00ABA744

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: a6e3f417626740248cc9db974ebb9dffa5ef61262e1ced97638cab2ea6f4a1b3
Instruction ID: 0240ce3734a445031998fa8d9cc1f81d158fc415290fb3a5e6b97d5eaef8eca6
Opcode Fuzzy Hash: a6e3f417626740248cc9db974ebb9dffa5ef61262e1ced97638cab2ea6f4a1b3
Instruction Fuzzy Hash: 8E11A376E047549BC7349F5ADC45BAAF7FCEB99721F004A3AEC1AD3340EA35AC408690

Function 00ACA680 Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(0000001B,000000FC), ref: 00ACA699
SetWindowLongW.USER32(0000001B,000000FC,?), ref: 00ACA6A7
DestroyWindow.USER32(0000001B,?,?,?,?,?,?,?,?,?,?,?,?,80004003,?,00000000), ref: 00ACA6D3

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Window$Long$Destroy
String ID:
API String ID: 3055081903-0
Opcode ID: 9feda08088f431f90b8ea687d42671fb15663f7d291fe5556481b06b7f380613
Instruction ID: 2adeb10d802b64e4691a12f6662982b18725db0551201655ce4ad8bbe59fe325
Opcode Fuzzy Hash: 9feda08088f431f90b8ea687d42671fb15663f7d291fe5556481b06b7f380613
Instruction Fuzzy Hash: 17F03031004B159FD7605F69ED04F967BE1BF05721F094B2CE4AB919E0C735A844EB01

Function 00C276B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00E02018), ref: 00C2770F

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

Strings

%04d-%02d-%02d %02d-%02d-%02d, xrefs: 00C2775D

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: HeapLocalProcessTime
String ID: %04d-%02d-%02d %02d-%02d-%02d
API String ID: 1554148984-3768011868
Opcode ID: 18790f5e40038898add50532e8c3c59659169142a03557de33cb497cf812331f
Instruction ID: f7489a9bcea0a82caa667ddfd773bbab2771a2109bdebfc840a04849502c5553
Opcode Fuzzy Hash: 18790f5e40038898add50532e8c3c59659169142a03557de33cb497cf812331f
Instruction Fuzzy Hash: 6E214AB5D00208AFDB14DF99D945BBEBBF8EB48710F10421AF911A7291EB746940CBB5

Function 00CCC6B0 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d27568dee6e504eeda6fcdcc351cfe64da91595b8b7e8ca66b4b8da94aa0efd7
Instruction ID: 0a45ab26ef37694ad4b4970142cf956abe8b5bb1d4c671a5222939534e89cbba
Opcode Fuzzy Hash: d27568dee6e504eeda6fcdcc351cfe64da91595b8b7e8ca66b4b8da94aa0efd7
Instruction Fuzzy Hash: 5DF11C71E002199FDB14CFA9D890BAEB7B1FF88314F15826DE929A7391D7309E41CB94

Function 00AE6440 Relevance: 3.3, APIs: 2, Instructions: 288windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000102B,00000000,?), ref: 00AE656B
SendMessageW.USER32(?,0000102B,0000009B,-00000002), ref: 00AE67A8

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4b31bdc0ff093eae7302154bc3e734b9fedbd3b5cdcb43ec8463b35b8def6b91
Instruction ID: ee092ff30e78e25ca71c98650c06217746bfeefcc1cf8e254bc4ab5378e29e05
Opcode Fuzzy Hash: 4b31bdc0ff093eae7302154bc3e734b9fedbd3b5cdcb43ec8463b35b8def6b91
Instruction Fuzzy Hash: 49C1E171A002468FCF18CF65C4A4AEEBBF5FF18344F188579D859AF285D734A945CBA0

Function 00C140C0 Relevance: 3.2, APIs: 2, Instructions: 151fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,00000003,2E261FC3,00000000,?,00000000), ref: 00C141B4
FindClose.KERNEL32(00000000,?,00000000), ref: 00C141FF

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 47fd8cee1852facbc702bac95c9ed6ed90f00dcb23ebd930385beedb83686bcd
Instruction ID: f43d8e9265a45d549a1a75835425243483e6799d62525cb8d681751aaaf261bb
Opcode Fuzzy Hash: 47fd8cee1852facbc702bac95c9ed6ed90f00dcb23ebd930385beedb83686bcd
Instruction Fuzzy Hash: FD51BE7190060ACFDB14DFA8C958BEEBBF4FF49314F204519E816AB381D734AA45DBA1

Function 00C5A310 Relevance: 3.1, Strings: 2, Instructions: 556COMMON

Download Yara Rule

Strings

H , xrefs: 00C5A409
h , xrefs: 00C5A455

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID: H $h
API String ID: 0-47501454
Opcode ID: 3a446bd3bf8481d0a3e8f282b9aecb45e5feac70001a631c2d104327fb5013dd
Instruction ID: 53323f97377c5dd883b65c67d87b314252e64bcf185f3ff0a45dc2a2993a12dd
Opcode Fuzzy Hash: 3a446bd3bf8481d0a3e8f282b9aecb45e5feac70001a631c2d104327fb5013dd
Instruction Fuzzy Hash: 85128075E002189FCB14DFA9C894AEEBBB5FF48310F158259E811B7391DB30AE45CBA5

Function 00AF4F40 Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 00AF4F45
SetUnhandledExceptionFilter.KERNEL32(Function_0013D330), ref: 00AF4F5B

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: 0b3c87e234c1f7ec57c029685a4c5dc52bdcc816c0e8c49a5fecff312df4cd4e
Instruction ID: b3ec1200bd1b5aba7557225c64aadf3aa95f84a5884c04598470cbba83651353
Opcode Fuzzy Hash: 0b3c87e234c1f7ec57c029685a4c5dc52bdcc816c0e8c49a5fecff312df4cd4e
Instruction Fuzzy Hash: 3FD012B095C384DEEF1057B69D0A7663E902761B05F1441A8F486122B2DBA2398DD313

Function 00B34B50 Relevance: 1.8, Strings: 1, Instructions: 523COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 00B34D35, 00B34F1F

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ExceptionRaise__floor_pentium4
String ID: unordered_map/set too long
API String ID: 996205981-306623848
Opcode ID: baf25a6bb4d19ce0a64c2bcf73cc639e308bb75acc3010af9644ec3e83e49fbf
Instruction ID: d9f16e62408072485be5c33303b21a56316ab9684805454215398f0775a9e940
Opcode Fuzzy Hash: baf25a6bb4d19ce0a64c2bcf73cc639e308bb75acc3010af9644ec3e83e49fbf
Instruction Fuzzy Hash: C212C571A006099FCB19DF68C981AADF7F5FF48310F2482AAE815EB391D735E941CB90

Function 00C50C60 Relevance: 1.7, Strings: 1, Instructions: 404COMMON

Download Yara Rule

Strings

0e+00, xrefs: 00C50ECD

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID: 0e+00
API String ID: 0-2793203700
Opcode ID: b565a77fa28ff1d7827c13fdecb71fdee79c85bbe69cf6e72ce84393db4db793
Instruction ID: 3d09bdb7aeac30ab1274d6d3393394015843e1597e86408f2021734e831411f0
Opcode Fuzzy Hash: b565a77fa28ff1d7827c13fdecb71fdee79c85bbe69cf6e72ce84393db4db793
Instruction Fuzzy Hash: 8DD1D276E042058FCB18DF6DD8816AEF7E5BB88310F18463DE819D7391E7749A888B90

Function 00AC8480 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00AC8623

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Color
String ID:
API String ID: 2811717613-0
Opcode ID: 12f30b626abda7940041c504f628c9b550b6f99a7ac465f166411387719f283d
Instruction ID: 5d7d1f7ba7bc05269b136eb959671355a2aaeaaa9c824cb55554c1ff4a7f0f07
Opcode Fuzzy Hash: 12f30b626abda7940041c504f628c9b550b6f99a7ac465f166411387719f283d
Instruction Fuzzy Hash: 3371F6B1801B48CFE761CF78C94478ABBF0BB05324F148A5DD4A99B3D1D3B9A648CB91

Function 00ADE8F0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,00ADCF48,?,?,?,?,?), ref: 00ADE940

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: e5ba1eabf8af15b2e3fd472fd436db8761f51461b790f4c708dc7bfd4092e547
Instruction ID: ffc5f7f197d19d57c24acf3c0da3285d8fefae8423519c85eaa56bb61585cdd3
Opcode Fuzzy Hash: e5ba1eabf8af15b2e3fd472fd436db8761f51461b790f4c708dc7bfd4092e547
Instruction Fuzzy Hash: 17F08270006146DEE354EB54C8A8A69F7B6FB45342F4849F7E09ADD5A0C3398E44DF10

Function 00C9E8E0 Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7fec6aa817b7324483a1312cbb0284a863cc157e8b0a144cb16b5f4de65d1b4
Instruction ID: 4501389f13c09b9afeb6723bbd784bf2f1f6f318cdb6f342f06eeec441e69512
Opcode Fuzzy Hash: a7fec6aa817b7324483a1312cbb0284a863cc157e8b0a144cb16b5f4de65d1b4
Instruction Fuzzy Hash: 1322C3B3B543104BD75CCE5DCCA23ADB2D3ABD4218B0E853DB48AC3342EA7DD9598685

Function 00C510D0 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a821a581c80ffa6ba1b01071a8110b22e4e360af58f0ed34da762129eecab6c
Instruction ID: 76d7b43a0ba143ed6b9a2c72892893b0618656fd77c7932bbb3b4a0506d90b24
Opcode Fuzzy Hash: 5a821a581c80ffa6ba1b01071a8110b22e4e360af58f0ed34da762129eecab6c
Instruction Fuzzy Hash: E3D1EF79B043118FC7148E2CC88472ABBE1EBD9351F58463EFC96C7351E671DA898B86

Function 00CC505C Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b92306f15964ff399d6875254213bf1a29e2ee310b8eaddf1c7de6190dbacfd
Instruction ID: 587d4c5d9da8fa1f32ed01ab3b64e920bebfa1c42fc644e1af2fda03764e1418
Opcode Fuzzy Hash: 9b92306f15964ff399d6875254213bf1a29e2ee310b8eaddf1c7de6190dbacfd
Instruction Fuzzy Hash: 90E16974A00A058FCB28CF68C584FAEB7F1BF45310B284A5DD4669B2A1D771BEC6CB51

Function 00CC4CCE Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a9289364f240a22338405b5b4aac10d6bd92567dff0e7e916e80365ea8d548
Instruction ID: a0355579eef0c268cc7459def5617005dc9184443e1c46840e6a984ecc05330e
Opcode Fuzzy Hash: 75a9289364f240a22338405b5b4aac10d6bd92567dff0e7e916e80365ea8d548
Instruction Fuzzy Hash: 3EC1BD74A00A4A8FCB28DF68C4A0FBEBBB1BF45310F24865DD46397691C730AE85CB51

Function 00D49508 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b68f5401dd2e61d1e84253cd64662ad6ccfab1af1def20fd0f7a6c7f5b67c5d
Instruction ID: 324b916b2bf9e86561777c3994bb5dac4bf7e73d5e674cf2a68a6043f23bd95d
Opcode Fuzzy Hash: 9b68f5401dd2e61d1e84253cd64662ad6ccfab1af1def20fd0f7a6c7f5b67c5d
Instruction Fuzzy Hash: F2B140A685E3C10FD7038B7458A9A917FB19F23254B4F46EBC0C4CF4B3E1589A1AD722

Function 00C496C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c428eefec9b9109d3d5e0ecaaa63b32ac1a678f9faf19883f83087edf380c9
Instruction ID: 71468fdaa093da62d4d45365046a6853ba36b1af6c7cb404e51e46e4fd30bf39
Opcode Fuzzy Hash: c0c428eefec9b9109d3d5e0ecaaa63b32ac1a678f9faf19883f83087edf380c9
Instruction Fuzzy Hash: 6A919172B043154BD708DE6DCD9136AF6E6EBC8310F1A853EF94AC73A1E678DC058681

Function 00D4951C Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5643636a3966a01b1effbd4416a2adaa750e7c262321689ecadc4c5b92051449
Instruction ID: 3711c964ac05395589250789f456da3b83c14961c167ae59b45cfcd37139d9ac
Opcode Fuzzy Hash: 5643636a3966a01b1effbd4416a2adaa750e7c262321689ecadc4c5b92051449
Instruction Fuzzy Hash: 3CC140A685E3C14FD7038B7458A9A917FB09F23254B4F46EBC0C5CF0B3E2585A1AD722

Function 00D49518 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7c2365a5d7dd156d0bfbed741267fb1021bfa17299828bdb599341e05cb0a0
Instruction ID: 722f8b918f50c9cfe97ff5e18716499fb21306010404b73f668f6568322ff2ed
Opcode Fuzzy Hash: 0d7c2365a5d7dd156d0bfbed741267fb1021bfa17299828bdb599341e05cb0a0
Instruction Fuzzy Hash: C0B15FA685E3C14FD7038B7458A9A917FB09F23254B4F46EBC0C5CF0B3E2585A1AD722

Function 00D49520 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ecbf17060112310df5d612bf1b6fa9ef972bf28a8d4fa4dd185f70c28f3abb
Instruction ID: cc9518a50eae6fc14aeada62e69cf09c786c7fc1b082c44aea81ba40c418de47
Opcode Fuzzy Hash: 04ecbf17060112310df5d612bf1b6fa9ef972bf28a8d4fa4dd185f70c28f3abb
Instruction Fuzzy Hash: 48B15FA685E3C14FD7038B7458A9A917FB09F23254B4F46EBC0C5CF0B3E2585A1AD722

Function 00CA5500 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a3f82deb2fbf3c4b91ec6546de5084811306920be900befed601aba40ebbca
Instruction ID: b298d783550efb786982205dd46c2f89430f65213f8e9cc44a0e59ac857c2f71
Opcode Fuzzy Hash: 01a3f82deb2fbf3c4b91ec6546de5084811306920be900befed601aba40ebbca
Instruction Fuzzy Hash: 3921D636B209060BDB8CDB29DC7667933D2E385305788927DEA5BCB291D7389456C740

Function 00B864E0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae7274266f183f6430831928dda18ab74c8728b6f9ccaefb42b088dcd505959
Instruction ID: 9e1bedf75896c8e9911788b9954f4e6233007e57e7630b1eb77d63291921e469
Opcode Fuzzy Hash: aae7274266f183f6430831928dda18ab74c8728b6f9ccaefb42b088dcd505959
Instruction Fuzzy Hash: 534104B0905749EED704CF69C10878AFBF0BF09318F20865DD4589B781D3BAA658CB95

Function 00AD2590 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c8a71e287a44ebcc8524f6ddad39335172c3631f94f46539e5602959e39f28d
Instruction ID: 218e4744e06f7244e7b9ad94ae31723d81945b244e2ed6ebebf59f75333d8c11
Opcode Fuzzy Hash: 4c8a71e287a44ebcc8524f6ddad39335172c3631f94f46539e5602959e39f28d
Instruction Fuzzy Hash: 8C31D0B0405B84CEE321CF29C55874BBFF0BB05718F148A5DD4A65BB91D3BAA648CB91

Function 00ACAE70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a220cc3b11f13cc8a60d63f013b6b2b327b1a99b0c5b22a97a9582adce27dd
Instruction ID: bac5a9a49ce173c9e67e844e9e1eeb3bb97fa2297754df589edd90b6bf294b5e
Opcode Fuzzy Hash: d2a220cc3b11f13cc8a60d63f013b6b2b327b1a99b0c5b22a97a9582adce27dd
Instruction Fuzzy Hash: 45216DB1900348DFD701CF58C80479ABBF4FB5A318F25829ED414AB391E37A9A06CF90

Function 00ACB4D0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664a23fd11688ee33d65ac247a0337bfba4a8316486a9a7c7a3802abf950dec6
Instruction ID: 526dd39b7dee86aef4b83a0d8da6add01a1d0ccfab6aa69438e9edd557130a36
Opcode Fuzzy Hash: 664a23fd11688ee33d65ac247a0337bfba4a8316486a9a7c7a3802abf950dec6
Instruction Fuzzy Hash: D3214AB1900348DFD701CF58C80479ABFF4FB59318F25829AD414AB391E37A9A06CF90

Function 00D7EF0C Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d7999498870410a4cdc47cb00e4aad573c2ed251d0f2293e55b8d731b85522
Instruction ID: 0d487beb74d7c7c48bad8b51e23c73c9d2ef69f101667c0c2a71c14983c0a989
Opcode Fuzzy Hash: d0d7999498870410a4cdc47cb00e4aad573c2ed251d0f2293e55b8d731b85522
Instruction Fuzzy Hash: B001089680E3D41ECB03877459A9287BF30AF1312834B86DFC891AF0F7E645181ADB66

Function 00AECC50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5386f9eeea9c7bf0007ef214b606b0ec68e4590d656ad4775c47c875c13b716d
Instruction ID: bcccf9c2113f06b9bd35243d15fc12be689423ae46241afcee9eb66776276cc5
Opcode Fuzzy Hash: 5386f9eeea9c7bf0007ef214b606b0ec68e4590d656ad4775c47c875c13b716d
Instruction Fuzzy Hash: 99110CB1904348DFC740CF58D544B49BBF4FB09328F2086AEE8189B381D37A9A0ACF84

Function 00CD6676 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761e8412fa3df0b0380fb672b69366078298b159b536c9ab8ce4dd016ff18047
Instruction ID: 889bcbcd94062c35efe96330d10e29e88893d1cd118462d59086e57ea38e4980
Opcode Fuzzy Hash: 761e8412fa3df0b0380fb672b69366078298b159b536c9ab8ce4dd016ff18047
Instruction Fuzzy Hash: EAF08532A10320ABCB229B4CC805B99B3ECEB44B24F1210A6F600AB241C2B0EE40CAC0

Function 00CD66BA Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84adcf6e336c4bae0f721f8d2f7d32daac37cdaf3c253ded2eee1c659e4a4c20
Instruction ID: 866b24a41ae959b95b36e825116dbb9fc51ec61b3de7481b65687aaa9c6b35c7
Opcode Fuzzy Hash: 84adcf6e336c4bae0f721f8d2f7d32daac37cdaf3c253ded2eee1c659e4a4c20
Instruction Fuzzy Hash: F2E08C32915228EBCB14DB9CC90499AF3ECEB44B00B118097F601E3201C270DF00D7D0

Function 00C2EAF0 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 343COMMON

Download Yara Rule

Strings

txt, xrefs: 00C2EBDE
powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new, xrefs: 00C2EC83
Unable to retrieve exit code from process., xrefs: 00C2EEA7
ps1, xrefs: 00C2EBB1, 00C2EBC3, 00C2EBCD
Unable to get a temp file for script output, temp path: , xrefs: 00C2EC27
Unable to create process: , xrefs: 00C2ED28
Unable to find file , xrefs: 00C2EB26
Unable to retrieve PowerShell output from file: , xrefs: 00C2EE84

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID:
String ID: Unable to create process: $Unable to find file $Unable to get a temp file for script output, temp path: $Unable to retrieve PowerShell output from file: $Unable to retrieve exit code from process.$powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new$ps1$txt
API String ID: 0-4129021124
Opcode ID: f5f3d53a4747874200571a8a6625d804cd125718b3ba89021f9894b6e26c3d71
Instruction ID: b1ab88ff3204dcd2e524a1b57b26774f996d22683ea23f76c59fcd2dbce97289
Opcode Fuzzy Hash: f5f3d53a4747874200571a8a6625d804cd125718b3ba89021f9894b6e26c3d71
Instruction Fuzzy Hash: F3D1BC34D00619AFDB10DFA8D949BAEFBB9FF09314F144259E421B7391DB70AA05CBA1

Function 00AC8710 Relevance: 25.7, APIs: 17, Instructions: 158windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 00AC8736
GetClientRect.USER32(?,?), ref: 00AC874E
FillRect.USER32(00000000,?,00000000), ref: 00AC876D
DeleteObject.GDI32(00000000), ref: 00AC8774
EndPaint.USER32(?,?), ref: 00AC8782
BeginPaint.USER32(?,?), ref: 00AC87B7
GetClientRect.USER32(?,?), ref: 00AC87CF
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00AC87E8
CreateCompatibleDC.GDI32(00000000), ref: 00AC87FD
SelectObject.GDI32(00000000,00000000), ref: 00AC880F
FillRect.USER32(00000000,?,00000000), ref: 00AC883C
DeleteObject.GDI32(?), ref: 00AC8846
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00AC888D
SelectObject.GDI32(00000000,?), ref: 00AC889C
DeleteDC.GDI32(00000000), ref: 00AC88A3
DeleteObject.GDI32(00000000), ref: 00AC88AA
EndPaint.USER32(?,?), ref: 00AC88B8

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Object$DeletePaintRect$BeginClientCompatibleCreateFillSelect$Bitmap
String ID:
API String ID: 1280635051-0
Opcode ID: dc4a000f184478ee68e01d813fba86285e90edeb638c59b91ef2cd8bbc100658
Instruction ID: d0b0006adef93a62d95341edc789ef1f58cfb075fd353bfa3bfad7382862ec3a
Opcode Fuzzy Hash: dc4a000f184478ee68e01d813fba86285e90edeb638c59b91ef2cd8bbc100658
Instruction Fuzzy Hash: 3E517E72205309AFD7109F65DC49F6BBBE9FB48701F044529F946E21A0DB76EC14CBA2

Function 00AC82B0 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 115registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00E072EC,2E261FC3,00000000,?,?,?,?,?,?,00AC7A15,00CE713D,000000FF), ref: 00AC82ED
GetClassInfoExW.USER32 ref: 00AC832D
LoadCursorW.USER32(00000000,00007F00), ref: 00AC8368
RegisterClassExW.USER32(00000030), ref: 00AC8391
GetClassInfoExW.USER32(AtlAxWinLic140,00000030), ref: 00AC83D8
LoadCursorW.USER32(00000000,00007F00), ref: 00AC8410
RegisterClassExW.USER32(00000030), ref: 00AC8431
LeaveCriticalSection.KERNEL32(00E072EC), ref: 00AC8463

Strings

AtlAxWin140, xrefs: 00AC831B, 00AC8383
0, xrefs: 00AC83F5
WM_ATLGETHOST, xrefs: 00AC82F3
WM_ATLGETCONTROL, xrefs: 00AC8302
r, xrefs: 00AC82D6
AtlAxWinLic140, xrefs: 00AC83CD, 00AC8427

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Class$CriticalCursorInfoLoadRegisterSection$EnterLeave
String ID: 0$AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST$r
API String ID: 927868316-3668823721
Opcode ID: 0cfcc9e59f2e2d1e1f1e0b62e26b4a6feb9287ffb788dbe7a2671ddc709d3e10
Instruction ID: 662d2bb380bc62b57541cbf7d04a4542d3e0e7741b9edcf0df126c0a7d5b5112
Opcode Fuzzy Hash: 0cfcc9e59f2e2d1e1f1e0b62e26b4a6feb9287ffb788dbe7a2671ddc709d3e10
Instruction Fuzzy Hash: 1E5117B1C103189FDB01DFE5D949BDEBBB8FF08704F14412AE405B6290EBB956898FA5

Function 00BEA4A0 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 398libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Advapi32.dll,2E261FC3,00000000,00000000), ref: 00BEA531
GetLastError.KERNEL32 ref: 00BEA55F

Part of subcall function 00ABB010: RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 00BEA575
FreeLibrary.KERNEL32(00000000), ref: 00BEA591
GetLastError.KERNEL32 ref: 00BEA59E
GetLastError.KERNEL32 ref: 00BEA795
GetLastError.KERNEL32 ref: 00BEA7FA

Strings

Advapi32.dll, xrefs: 00BEA52C
ConvertStringSidToSidW, xrefs: 00BEA56F

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ErrorLast$Library$AddressAllocateFreeHeapLoadProc
String ID: Advapi32.dll$ConvertStringSidToSidW
API String ID: 3460774402-1129428314
Opcode ID: e3cb4c041bda92972756fe083a6e8bfb0192f075ad24074bec2df076db89e206
Instruction ID: d8c695ccdaecb4276e3ec5b850728597e6848806cc12fd5f650750acf6ffc588
Opcode Fuzzy Hash: e3cb4c041bda92972756fe083a6e8bfb0192f075ad24074bec2df076db89e206
Instruction Fuzzy Hash: FBF179B1C01249ABDB10DF95D9847EEBBF8FF08310F214259E915B7281E734AA45DBA2

Function 00AC1250 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 282libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,2E261FC3,00000000,?,?,?,?,?,?,?,?,?,?,?,2E261FC3), ref: 00AC12D3
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00AC12D9
LoadLibraryW.KERNEL32(?,.dll,-00000001,00000000,00D74720,00000000,00000000,00000000), ref: 00AC149B

Strings

DllGetActivationFactory, xrefs: 00AC14DE
.dll, xrefs: 00AC1482
combase.dll, xrefs: 00AC12CE, 00AC137F
CoIncrementMTAUsage, xrefs: 00AC137A
RoGetActivationFactory, xrefs: 00AC12C9

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: LibraryLoad$AddressProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 1469910268-2454113998
Opcode ID: 62e34c99e5c1584674c47e8c292c4d815191e4fb4af6ee0f5251d79d6b9d0c4b
Instruction ID: 09d55f187e8b049ddbd0c734c0632412520afeb41a9e73be9b9947b7a3a931fb
Opcode Fuzzy Hash: 62e34c99e5c1584674c47e8c292c4d815191e4fb4af6ee0f5251d79d6b9d0c4b
Instruction Fuzzy Hash: 08B18B70E00209DFCB11DFA8C854FADBBB4FF49704F16816DE811AB291EB749944CBA0

Function 00B36F20 Relevance: 19.7, APIs: 13, Instructions: 167COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 00B36F67
GetParent.USER32(00000000), ref: 00B36F7A
GetWindow.USER32(00000000,00000004), ref: 00B36F85
GetWindowRect.USER32(00000000,?), ref: 00B36F93
GetWindowLongW.USER32(00000000,000000F0), ref: 00B36FA6
MonitorFromWindow.USER32(00000000,00000002), ref: 00B36FBE
GetMonitorInfoW.USER32(00000000,?), ref: 00B36FD4
GetWindowRect.USER32(00000000,?), ref: 00B36FFA
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 00B370B5

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Window$LongMonitorRect$FromInfoParent
String ID:
API String ID: 1468510684-0
Opcode ID: 4dc97136d065e1fe93a9488ec13aca50dc315b15ee09584140ec71a53b2d8651
Instruction ID: 3ee2c650ec8d6f8c9adc732f304d34672524d577b05b0c7ea673af4f5886913c
Opcode Fuzzy Hash: 4dc97136d065e1fe93a9488ec13aca50dc315b15ee09584140ec71a53b2d8651
Instruction Fuzzy Hash: 91518F72904218AFDB24CFA9DD49AAEBBF9FB44310F244269F815F3290DB35AD44CB51

Function 00AEC0F0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 231windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,2E261FC3), ref: 00AEC178

Part of subcall function 00AC9C20: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00AC9C62

SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00AEC283
SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 00AEC297
SendMessageW.USER32(00000000,00000421,00000003,?), ref: 00AEC2AC
SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00AEC2C1
SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00AEC2D8
ClientToScreen.USER32(?,?), ref: 00AEC2F8
GetWindowRect.USER32(?,?), ref: 00AEC30A
SendMessageW.USER32(00000000,00000412,00000000), ref: 00AEC366
SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00AEC37A

Strings

tooltips_class32, xrefs: 00AEC172

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: MessageSend$Window$ClientCreateLongRectScreen
String ID: tooltips_class32
API String ID: 1468030502-1918224756
Opcode ID: 0c64e23419dc843be3c90b71de82cdf5263642be04cc957bda34b264bce9f053
Instruction ID: a673fdeec9e4d7ec0092c33409169db2a8e02cbc8365a7ee1750fd8c9fd5cf8c
Opcode Fuzzy Hash: 0c64e23419dc843be3c90b71de82cdf5263642be04cc957bda34b264bce9f053
Instruction Fuzzy Hash: F3915CB1A00308AFDB14CFA5CC55BAEBBF9FB48300F14852AF516EB290D775A945CB50

Function 00BF76A0 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 213COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,2E261FC3,?), ref: 00BF7737
SymSetSearchPath.IMAGEHLP(2E261FC3,?,2E261FC3,?), ref: 00BF7998

Strings

MODULE_BASE_ADDRESS, xrefs: 00BF83C7
<--------------------MORE--FRAMES-------------------->, xrefs: 00BF831D
*** Stack Trace (x86) ***, xrefs: 00BF8257
-> , xrefs: 00BF7F7C
%hs:%ld, xrefs: 00BF7C34
%hs(), xrefs: 00BF7E6A
Dbghelp.dll, xrefs: 00BF8133
SymFromAddr, xrefs: 00BF812E
[0x%.8Ix] , xrefs: 00BF8381

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: FileModuleNamePathSearch
String ID: *** Stack Trace (x86) ***$ -> $%hs()$%hs:%ld$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
API String ID: 1980563475-1582651777
Opcode ID: 87add2723873ee78784fbb147495eb3daf3a86c1e82b31ccdba16034502db235
Instruction ID: e9cdb05f9b0e4279f0e0627802d7997745885c31db13dbb6508050181481babd
Opcode Fuzzy Hash: 87add2723873ee78784fbb147495eb3daf3a86c1e82b31ccdba16034502db235
Instruction Fuzzy Hash: 40918A71D0416C8FCB28CB24CC95BEDB7B4EB4A314F1082D9E659A7291DB305E88CF91

Function 00BFD4B0 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 441libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00000000), ref: 00BFD616
GetProcAddress.KERNEL32(00000000), ref: 00BFD61D
GetCurrentProcess.KERNEL32(?,00000000,?,?,?,00000000), ref: 00BFD657

Strings

Undefined, xrefs: 00BFD964
kernel32, xrefs: 00BFD611
IsWow64Process2, xrefs: 00BFD60C
Search result:, xrefs: 00BFD8F9
No acceptable version found. It must be downloaded manually from a site., xrefs: 00BFD97F, 00BFD980
Wrong OS or Os language for:, xrefs: 00BFDA0F
Searching for:, xrefs: 00BFD759

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process2$No acceptable version found. It must be downloaded manually from a site.$Search result:$Searching for:$Undefined$Wrong OS or Os language for:$kernel32
API String ID: 4190356694-2080428883
Opcode ID: 7141c96ec1d739d057440f286ff5504db3bda39ae52f9376b2da785323119fab
Instruction ID: 5e4e8095307aa1b1a1b95f650a3f86f881224209fb87edc2edd840b5dccb0cbb
Opcode Fuzzy Hash: 7141c96ec1d739d057440f286ff5504db3bda39ae52f9376b2da785323119fab
Instruction Fuzzy Hash: A10291709006099FDB14DFA8C994BBDB7F2FF45314F144259E616AB2D0DB31AD49CB90

Function 00C27450 Relevance: 16.7, APIs: 11, Instructions: 214fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00E02000,2E261FC3,-00000001), ref: 00C2748C
EnterCriticalSection.KERNEL32(-00000001,2E261FC3,-00000001), ref: 00C27499
WriteFile.KERNEL32(00000000,?,?,2E261FC3,00000000), ref: 00C274CB
FlushFileBuffers.KERNEL32(00000000,?,?,2E261FC3,00000000), ref: 00C274D4
WriteFile.KERNEL32(00000000,?,?,?,00000000,00D746F0,00000001,?,?,2E261FC3,00000000), ref: 00C2756C
FlushFileBuffers.KERNEL32(00000000,?,?,2E261FC3,00000000), ref: 00C27575
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,2E261FC3,00000000), ref: 00C275B8
FlushFileBuffers.KERNEL32(00000000,?,?,2E261FC3,00000000), ref: 00C275C1
WriteFile.KERNEL32(00000000,000000FF,?,?,00000000,00D776F4,00000002,?,?,2E261FC3,00000000), ref: 00C2762E
FlushFileBuffers.KERNEL32(00000000,?,?,2E261FC3,00000000), ref: 00C27637
LeaveCriticalSection.KERNEL32(00000000,?,?,2E261FC3,00000000), ref: 00C27676

Part of subcall function 00ABA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00AD5436,00000000,*.*,?,?,?,?), ref: 00ABA863

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: File$BuffersFlushWrite$CriticalSection$EnterFindInitializeLeaveResource
String ID:
API String ID: 1900893598-0
Opcode ID: 53974372b472c43cfc1086436b9ef4bdaefcac574c154032ae0b2f7fbfb55bc0
Instruction ID: 8058bced372198b912a532f08fdd4c82c8374db437087c5f44d795bf52c3d273
Opcode Fuzzy Hash: 53974372b472c43cfc1086436b9ef4bdaefcac574c154032ae0b2f7fbfb55bc0
Instruction Fuzzy Hash: 4371AC34A00614AFDB01DF68DD99BAEBBB9EF49314F144158F811E7392DB319E05CBA0

Function 00C28BF0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 308libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD2AC0: GetLastError.KERNEL32(2E261FC3,00D32DFD,00D32DFD,00D32DFD,?,00000000,00D245BD,000000FF,?,80070057,00000000,?,?,00D32DFD,00BE9ECA,00000000), ref: 00BD2B31

GetProcAddress.KERNEL32(?,GetPackagePath), ref: 00C28DAF
GetProcAddress.KERNEL32(?,GetPackagePath), ref: 00C28E18
GetLastError.KERNEL32(?,?,00D330E5,000000FF,?,00C076D0,?,?,?,?,?,?,00000000), ref: 00C28E42
FreeLibrary.KERNEL32(?,?,?,00000000,00000000,?,?,00D330E5,000000FF), ref: 00C28F44

Strings

Kernel32.dll, xrefs: 00C28C1D
neutral, xrefs: 00C28CB6
x64, xrefs: 00C28C9A
x86, xrefs: 00C28C6C
GetPackagePath, xrefs: 00C28DA9, 00C28E12

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AddressErrorLastProc$FreeLibrary
String ID: GetPackagePath$Kernel32.dll$neutral$x64$x86
API String ID: 329358263-4043905686
Opcode ID: 43da3e1fda7831e74529038b345b82b6830268d4e79215cada108e7452c6e936
Instruction ID: 7681cf485ae7d8a3737c84d7fb29f68e01015d1b1cfe60c4d15744f7c0e52d40
Opcode Fuzzy Hash: 43da3e1fda7831e74529038b345b82b6830268d4e79215cada108e7452c6e936
Instruction Fuzzy Hash: 96C19C74A012199FCB04DFA8D958AAEBBB5FF08310F14815DE415E7391EB75AD09CF60

Function 00AEAAF0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 132windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 00AEAB71
lstrcpynW.KERNEL32(?,?,00000020), ref: 00AEABF1
GetDC.USER32(?), ref: 00AEAC14
GetDeviceCaps.GDI32(00000000), ref: 00AEAC1B
MulDiv.KERNEL32(?,00000048,00000000), ref: 00AEAC2E
SendMessageW.USER32(?,00000444,00000000,00000074), ref: 00AEAC60
DeleteObject.GDI32(?), ref: 00AEAC9D

Strings

t, xrefs: 00AEAC3C
?, xrefs: 00AEAC34

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: MessageSend$CapsDeleteDeviceObjectlstrcpyn
String ID: ?$t
API String ID: 2619291461-1995845436
Opcode ID: 173e054324f6c2200bf85805fac2a178a65aa9563db7a8ad8bd6d07469317b7a
Instruction ID: 08dd26c945892e82f5bb11c24494079f802490f57a4e728553e40b23ce1924a6
Opcode Fuzzy Hash: 173e054324f6c2200bf85805fac2a178a65aa9563db7a8ad8bd6d07469317b7a
Instruction Fuzzy Hash: B05191B1604385AFD720DF61DC49B9BBBE8FB89300F040929F689D6291D775E548CB93

Function 00B7CBA0 Relevance: 15.1, APIs: 10, Instructions: 131windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00B7CC23
GetWindowRect.USER32(?,?), ref: 00B7CC3B
GetWindowRect.USER32(?,?), ref: 00B7CC53
IntersectRect.USER32(?,?,?), ref: 00B7CC70
EqualRect.USER32(?,?), ref: 00B7CC80
GetSysColorBrush.USER32(0000000F), ref: 00B7CC97
GetWindowRect.USER32(?,?), ref: 00B7CCC0
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00B7CCD5
GetWindowLongW.USER32(?,000000EC), ref: 00B7CCE4
SetBrushOrgEx.GDI32(?,?,?,00000000), ref: 00B7CD02

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Window$Rect$Brush$ColorEqualIntersectLongPointsVisible
String ID:
API String ID: 2158939716-0
Opcode ID: 82d0e15661966a7d4279d40b26195c7af61b0fb69fe6c63631da3c345123c3eb
Instruction ID: 97077a7da71e9f55baeb7fb03d1a9531df0a72c2359e771ca3d2834060cd97a6
Opcode Fuzzy Hash: 82d0e15661966a7d4279d40b26195c7af61b0fb69fe6c63631da3c345123c3eb
Instruction Fuzzy Hash: 794160316083049FC300DF25D884E6BBBE9FF99704F05866EF959A7211D731E985CB92

Function 00ACC480 Relevance: 15.1, APIs: 10, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00ACC4C1
GetClientRect.USER32(?,?), ref: 00ACC4E8
CreateCompatibleDC.GDI32(?), ref: 00ACC4F8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00ACC519
DeleteDC.GDI32(00000000), ref: 00ACC526
FillRect.USER32(?,?,00000006), ref: 00ACC56A

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CompatibleCreateRect$BitmapClientDeleteFill
String ID:
API String ID: 1262984673-0
Opcode ID: 7dd79c0b31debd8b1706f0e9eec8abf93bde8992511d4d6f94aa3a5b37c917b5
Instruction ID: 4f19c42b1b0edaa7ecd5e065efa3e19b43ffcfb33a3018fcc785295b84138bae
Opcode Fuzzy Hash: 7dd79c0b31debd8b1706f0e9eec8abf93bde8992511d4d6f94aa3a5b37c917b5
Instruction Fuzzy Hash: 5331D7B21443099FC715DF29D88CF2B7BE5BF98310F56092DF88A96261D732D984CB92

Function 00C0E280 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 320processfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C0FBA0: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000010), ref: 00C0FBCD

Part of subcall function 00AC3380: GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W,?), ref: 00AC3477
Part of subcall function 00AC3380: GetProcAddress.KERNEL32(00000000), ref: 00AC347E
Part of subcall function 00AC3380: PathFileExistsW.SHLWAPI(?), ref: 00AC34EC

GetFileAttributesW.KERNEL32(?,?,00000003,?,00000001,?,00000000,00000000), ref: 00C0E428
SetFileAttributesW.KERNEL32(?,00000080), ref: 00C0E43B
CopyFileW.KERNEL32(?,?,00000000), ref: 00C0E448

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00C0E58A
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00C0E5A0
CloseHandle.KERNEL32(?), ref: 00C0E5C1
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00C0E5D4

Strings

"%s" %s, xrefs: 00C0E4BE

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: File$Wow64$AttributesHandleModuleProcessRedirectionRevert$AddressCloseCopyCreateExistsHeapNamePathProc
String ID: "%s" %s
API String ID: 3861218247-1070868581
Opcode ID: 65993e4467d590ba1a0a38b7cabb42f30d7b98a998269587e391897ba0a72b64
Instruction ID: 0f36bef1eef8493f18d1147e5399ef20547360cd2a63effd6f75edad405e66a9
Opcode Fuzzy Hash: 65993e4467d590ba1a0a38b7cabb42f30d7b98a998269587e391897ba0a72b64
Instruction Fuzzy Hash: F3D1BE30E00648DFDB14DFA8CD18BADBBB5AF49314F288659E421AB3D1DB75AA05CF50

Function 00AC62B0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 283memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00AC62EE
SysAllocString.OLEAUT32(?), ref: 00AC6306
VariantInit.OLEAUT32(?), ref: 00AC6341
VariantClear.OLEAUT32(?), ref: 00AC63AA
VariantClear.OLEAUT32(?), ref: 00AC63B8
VariantClear.OLEAUT32(?), ref: 00AC63C6
VariantClear.OLEAUT32(?), ref: 00AC63D7

Part of subcall function 00ABB010: RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

Strings

<body><h3 style="color:green;">Error loading resource:</h3><p style="white-space:nowrap">"%s"</p></body>, xrefs: 00AC645B

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Variant$Clear$AllocAllocateHeapInitString
String ID: <body><h3 style="color:green;">Error loading resource:</h3><p style="white-space:nowrap">"%s"</p></body>
API String ID: 1547307772-1571955069
Opcode ID: c17d740546e434295bf0e52b478fd16815a57117bd64bf7a6b5561926373293c
Instruction ID: ca01fa80d481ee1b9ce7b532151260f06d21e7123b239ffab280bb5832f6b3c4
Opcode Fuzzy Hash: c17d740546e434295bf0e52b478fd16815a57117bd64bf7a6b5561926373293c
Instruction Fuzzy Hash: 08A18F71900258DFCB04DFA8D948BAEBBB8FF49310F14426AE411E7391DB75AA44CB91

Function 00C2E8B0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 193fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

Part of subcall function 00ABA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00AD5436,00000000,*.*,?,?,?,?), ref: 00ABA863

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,ps1,ps1,00000003,?,00C07FF8), ref: 00C2E9C8
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00C2EA0E
WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00C2EA2B
CloseHandle.KERNEL32(00000000), ref: 00C2EA45
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00C2EA84

Strings

Unable to save script file , xrefs: 00C2EA54
ps1, xrefs: 00C2E931, 00C2E943, 00C2E94D, 00C2E95E
Unable to get temp file , xrefs: 00C2E9A9

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: File$CloseHandleWrite$CreateFindHeapProcessResource
String ID: Unable to get temp file $Unable to save script file $ps1
API String ID: 3201387394-4253966538
Opcode ID: 55ecd57e810feb128de323bf4e8fa3526f00a0943dba55af4dedf82d0980b297
Instruction ID: 288a176f0ccc7e970aa6cdc7c81d5073fdb3b11caac4113fce493d2be413768a
Opcode Fuzzy Hash: 55ecd57e810feb128de323bf4e8fa3526f00a0943dba55af4dedf82d0980b297
Instruction Fuzzy Hash: A961F134A00259EFDB00DFA8DC45BAEBBB8BF45714F144219E511BB3C2DB749A05DBA0

Function 00ABECF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00ABEE08
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00ABEE12
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00ABEE24
GetExitCodeProcess.KERNEL32(?,?), ref: 00ABEE41
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00ABEE4B
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00ABEE58
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00ABEE62

Strings

"%s" %s, xrefs: 00ABED90

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ErrorLastProcess$CloseCodeCreateExitHandleHeapObjectSingleWait
String ID: "%s" %s
API String ID: 3234789809-1070868581
Opcode ID: 2e6a366bf82892bfddc717f84650ac1187dcae0c7d97ed58a26207129d2a682d
Instruction ID: 6211be0a2867a8502ed5d9c507eea9fadafb4bea40278972989408f809f4dd16
Opcode Fuzzy Hash: 2e6a366bf82892bfddc717f84650ac1187dcae0c7d97ed58a26207129d2a682d
Instruction Fuzzy Hash: 65515A71E00615EFDB24DF64C804BEEB7B9FF49714F204629E921A7291E770A941CBA0

Function 00CE2173 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00CE1ADF), ref: 00CE218C

Strings

acos, xrefs: 00CE22C2
log10, xrefs: 00CE21CE, 00CE21DD
pow, xrefs: 00CE222A, 00CE22D4, 00CE2321
sqrt, xrefs: 00CE22CB
exp, xrefs: 00CE220B, 00CE2270
asin, xrefs: 00CE22B9
log, xrefs: 00CE21E9, 00CE21F8

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 159c99aedd2cd9224f4042b51e8bfea36651321a06c86d5bf3c2923ba7200b0e
Instruction ID: fdad103ebd5dfb2f4af61a91f78ef713efdb8834567f07b915991b54ab558c76
Opcode Fuzzy Hash: 159c99aedd2cd9224f4042b51e8bfea36651321a06c86d5bf3c2923ba7200b0e
Instruction Fuzzy Hash: 6A51AD7580064ECBCF148FABE84C7ADBBBCFF09310F544145D5A1A6264CB758A65DF60

Function 00CC0260 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00CC0297
___except_validate_context_record.LIBVCRUNTIME ref: 00CC029F
_ValidateLocalCookies.LIBCMT ref: 00CC0328
__IsNonwritableInCurrentImage.LIBCMT ref: 00CC0353
_ValidateLocalCookies.LIBCMT ref: 00CC03A8
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00CC03BE
___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00CC03D3

Strings

csm, xrefs: 00CC033D

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
String ID: csm
API String ID: 1385549066-1018135373
Opcode ID: cca1a1801c2434c5e9a7eb2bda8cb71630c27f0446408fc9a2a32129d6596fd3
Instruction ID: 64f7dc853b00fa8fefd002f6430e14ac7118e0dd5dfa883e6f3854ed9844648b
Opcode Fuzzy Hash: cca1a1801c2434c5e9a7eb2bda8cb71630c27f0446408fc9a2a32129d6596fd3
Instruction Fuzzy Hash: 1841A334A00248DBCF10DF69C885F9EBBA5AF46324F28815DEC149B363D735DA06DB91

Function 00AB2C50 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00E01FBC,00000000,2E261FC3,00000000,00D24873,000000FF,?,2E261FC3), ref: 00AB2DC3
GetLastError.KERNEL32(?,2E261FC3), ref: 00AB2DCD

Strings

VolumeCostAvailable, xrefs: 00AB2C90
VolumeCostSize, xrefs: 00AB2C87
VolumeCostRequired, xrefs: 00AB2C99
VolumeCostDifference, xrefs: 00AB2CA3
VolumeCostVolume, xrefs: 00AB2C7D, 00AB2D35

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID: VolumeCostAvailable$VolumeCostDifference$VolumeCostRequired$VolumeCostSize$VolumeCostVolume
API String ID: 439134102-34576578
Opcode ID: 0de442d6a20259362366443618cde0d7e499480683a545f367a3871d691ebfd7
Instruction ID: 7b9c8882541a5818f541fbad01b745c851e5b79e810dadf73b4bbbebebaf1c1b
Opcode Fuzzy Hash: 0de442d6a20259362366443618cde0d7e499480683a545f367a3871d691ebfd7
Instruction Fuzzy Hash: 6051D4B1E002099FDB00DF55DC457EEBBF8FB08314F54426AE815AB391E77A9948CBA1

Function 00CBC027 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00CBC1D1,?,?,?,?), ref: 00CBC04B
HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 00CBC052

Part of subcall function 00CBC11D: IsProcessorFeaturePresent.KERNEL32(0000000C,00CBC039,00000000,?,00CBC1D1,?,?,?,?), ref: 00CBC11F

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,00CBC1D1,?,?,?,?), ref: 00CBC062
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,?,?), ref: 00CBC089
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,?,?), ref: 00CBC09D
InterlockedPopEntrySList.KERNEL32(00000000,?,?,?,?), ref: 00CBC0B0
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?), ref: 00CBC0C3

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: d2fa3a79df7687674149d5c59cac1b4041060f9197d0365e14bdfb3f951de152
Instruction ID: f6a355c0e7a726b0669d220af7e5a97c68f7823fcb67f10fad2f12cc6d73ddbf
Opcode Fuzzy Hash: d2fa3a79df7687674149d5c59cac1b4041060f9197d0365e14bdfb3f951de152
Instruction Fuzzy Hash: 89119D75A41211EFDA316B6AACD9FABBA6CAB85781F144020F902E6250DA61DC0496B4

Function 00AD07A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 289registryCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,2E261FC3), ref: 00AD0841
GetLastError.KERNEL32 ref: 00AD0878
RegCloseKey.ADVAPI32(?,Function_002C4720,00000000,Function_002C4720,00000000,?,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 00AD0AEE
CloseHandle.KERNEL32(?,2E261FC3,?,?,00000000,00CE85ED,000000FF,?,Function_002C4720,00000000,Function_002C4720,00000000,?,80000001,00000001,00000000), ref: 00AD0B7E

Strings

AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00AD08B0
Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 00AD0836

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Close$CreateErrorEventHandleLast
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
API String ID: 1253123496-2079760225
Opcode ID: aa368bf2b9a4a692c0e8c11f06c2d9192bb900fd70881b266ecc79f02382cb5b
Instruction ID: 741c641f1f7ffa569577c0b8a0626fe69be5927a5a16bc803e8fb05d2e49ee21
Opcode Fuzzy Hash: aa368bf2b9a4a692c0e8c11f06c2d9192bb900fd70881b266ecc79f02382cb5b
Instruction Fuzzy Hash: 1FC1FF70D00348EFDB14CF68C954BAEBBB5FF15304F14829AE459A3781DB74AA84CB91

Function 00AC2B80 Relevance: 10.7, APIs: 7, Instructions: 223memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 00AC2C80
SysFreeString.OLEAUT32(00000000), ref: 00AC2D08
GetProcessHeap.KERNEL32(-000000FE,?,?), ref: 00AC2D80
HeapFree.KERNEL32(00000000,-000000FE,?,?), ref: 00AC2D86
GetProcessHeap.KERNEL32(-000000FE,00000000,?,00000000,00000000,00000000,2E261FC3,?,?,?), ref: 00AC2DB3
HeapFree.KERNEL32(00000000,-000000FE,00000000,?,00000000,00000000,00000000,2E261FC3,?,?,?), ref: 00AC2DB9
SysFreeString.OLEAUT32(00000000), ref: 00AC2DD1

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Free$Heap$String$Process
String ID:
API String ID: 2680101141-0
Opcode ID: 824afc19c7c526a8ad0619d8d2624ce8968c2a418d1d153823d597736b4e9a3b
Instruction ID: 6e2bb7d9f88b624bcc88981eb5cd1da2c492505860d4689ffc11a13875a8deeb
Opcode Fuzzy Hash: 824afc19c7c526a8ad0619d8d2624ce8968c2a418d1d153823d597736b4e9a3b
Instruction Fuzzy Hash: 279157B0D00219DFDF11DFA8C944BEEBBB8BF15314F26455DE811A7291DB789A04CBA1

Function 00AC097A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 214libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,.dll,00000004,-00000001,00000000,Function_002C4720,00000000,00000000,00000000), ref: 00AC0A7D
GetProcAddress.KERNEL32(00000000,DllGetActivationFactory), ref: 00AC0AC6

Strings

DllGetActivationFactory, xrefs: 00AC0AC0
.dll, xrefs: 00AC0A64

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll$DllGetActivationFactory
API String ID: 2574300362-1250754257
Opcode ID: 2d649f5de47f2a1f911cd8d5c730d643817b2b8e7cd94dc4dcd00c1877e9d840
Instruction ID: 39db521fbe88d352749e10d454609bf912a1d1a54913e78f8b2d6dd21c2b5625
Opcode Fuzzy Hash: 2d649f5de47f2a1f911cd8d5c730d643817b2b8e7cd94dc4dcd00c1877e9d840
Instruction Fuzzy Hash: 88917970D00209EFDB14DFA8C899FEDFBB5AF54304F26815DE411AB291DB749A44CB91

Function 00C26FE0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 207COMMON

Download Yara Rule

APIs

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00D2C45F,000000FF), ref: 00C2719B
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00D2C45F,000000FF), ref: 00C27254

Strings

<< Advanced Installer (x86) Log >>, xrefs: 00C270F3
, , xrefs: 00C270A5
$ , xrefs: 00C2714F, 00C2725E
, , xrefs: 00C270EC

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CloseCriticalDeleteHandleHeapProcessSection
String ID: << Advanced Installer (x86) Log >>$$ $, $,
API String ID: 1977327082-3733622743
Opcode ID: 72d273a03ce8010fff531af51a69b6bafcb5ad71d87399f0abcc826264222dc7
Instruction ID: f36cdc73c2f7a5978b68c0b88c3d80547ce4343c5beaecae21f6b8a6ef5cbd10
Opcode Fuzzy Hash: 72d273a03ce8010fff531af51a69b6bafcb5ad71d87399f0abcc826264222dc7
Instruction Fuzzy Hash: E571E131A00348DFDB01DF68C95876EBBF5EF89314F24425EE914AB382DB759A09CB90

Function 00AD0530 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 150fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?,2E261FC5), ref: 00AD0673
CloseHandle.KERNEL32(00000000), ref: 00AD06D0

Part of subcall function 00CBCAB5: AcquireSRWLockExclusive.KERNEL32(00E00888,?,?,?,00ABB446,00E0149C,2E261FC3,?,?,00CE3F6D,000000FF,?,00C348BD,2E261FC3,?), ref: 00CBCAC0
Part of subcall function 00CBCAB5: ReleaseSRWLockExclusive.KERNEL32(00E00888,?,?,00ABB446,00E0149C,2E261FC3,?,?,00CE3F6D,000000FF,?,00C348BD,2E261FC3,?), ref: 00CBCAFA

WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00AD0737
CloseHandle.KERNEL32(00000000,?), ref: 00AD075D

Part of subcall function 00CBCA64: AcquireSRWLockExclusive.KERNEL32(00E00888,?,?,00ABB4B7,00E0149C,00D47860), ref: 00CBCA6E
Part of subcall function 00CBCA64: ReleaseSRWLockExclusive.KERNEL32(00E00888,?,?,00ABB4B7,00E0149C,00D47860), ref: 00CBCAA1
Part of subcall function 00CBCA64: WakeAllConditionVariable.KERNEL32(00E00884,?,?,00ABB4B7,00E0149C,00D47860), ref: 00CBCAAC

Strings

html, xrefs: 00AD062C
aix, xrefs: 00AD0631

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ExclusiveLock$AcquireCloseFileHandleRelease$ConditionCreateVariableWakeWrite
String ID: aix$html
API String ID: 3683816281-2369804267
Opcode ID: 220a23c30ec5379c8e53e7be77cf7c54d7fb0931bf87942c9ef71d5a6a0ddeb2
Instruction ID: 651eb494488893dbca9a995d00df523b1a7384480ceeb09abdd1e315db5a0492
Opcode Fuzzy Hash: 220a23c30ec5379c8e53e7be77cf7c54d7fb0931bf87942c9ef71d5a6a0ddeb2
Instruction Fuzzy Hash: DC61BD70D04348DFEB10CFA4D958B9EBBF4FB04708F104559E842AB381D7BA6A49DBA1

Function 00ADE770 Relevance: 10.6, APIs: 7, Instructions: 130COMMON

Download Yara Rule

APIs

GetWindowDC.USER32(?,2E261FC3,00000000,?,?,?,?,?,?,?,?,00000000,00CEADD5,000000FF,?,00ADE593), ref: 00ADE7B2
GetWindowRect.USER32(?,?), ref: 00ADE7D1
IsWindowEnabled.USER32(?), ref: 00ADE7E0
SelectObject.GDI32(00000000,00000000), ref: 00ADE84D
SelectObject.GDI32(?,?), ref: 00ADE891
DeleteObject.GDI32(00000000), ref: 00ADE8A0
DeleteDC.GDI32(?), ref: 00ADE8C3

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ObjectWindow$DeleteSelect$EnabledRect
String ID:
API String ID: 2818206005-0
Opcode ID: 1dc1466e8656bdbd7a88bb0936486eb9e50f721a3ec6bfb933afbf283477efc1
Instruction ID: edf5c6349a23075cff69dca199118f6f44c8baca6a3d01678cce1152f5c44396
Opcode Fuzzy Hash: 1dc1466e8656bdbd7a88bb0936486eb9e50f721a3ec6bfb933afbf283477efc1
Instruction Fuzzy Hash: 95414C75A00218AFDB04DFA9DD88BAEBBB9FB88310F144129E905B7290D7756D44CB61

Function 00BF8C90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shlwapi.dll,-00000001,00000000,?,?,?,?,?,?,?,?,00C0537B,?), ref: 00BF8CAF
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00BF8CC5
FreeLibrary.KERNEL32(00000000), ref: 00BF8D08
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C0537B,?), ref: 00BF8D24

Strings

DllGetVersion, xrefs: 00BF8CBF
Shlwapi.dll, xrefs: 00BF8CA8

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: DllGetVersion$Shlwapi.dll
API String ID: 1386263645-2240825258
Opcode ID: ac7ecad979c6ab7c5a2f3f988ded6767758ed2a1f61939f66a913570dff94ea9
Instruction ID: 83500b5c24e870dcc38a6bed1eaf60a4c34fa91bd8b9b2dd9e215dfa69b7fb98
Opcode Fuzzy Hash: ac7ecad979c6ab7c5a2f3f988ded6767758ed2a1f61939f66a913570dff94ea9
Instruction Fuzzy Hash: 99219C796003058BC714DF2AE88597BFBE4EF9E310B40096EF859C3350EE3098498BA2

Function 00CB953E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00CB95B9,00CB951C,00CB97BD), ref: 00CB9555
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00CB956B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00CB9580

Strings

AcquireSRWLockExclusive, xrefs: 00CB9565
KERNEL32.DLL, xrefs: 00CB9550
ReleaseSRWLockExclusive, xrefs: 00CB9575

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 10b21deb4cfda85ebc5f73e99ace36e2f9294ca1c0a3fd2d71f538f947573ee4
Instruction ID: fe1f5ea68d1fceba9d6ee9cbc9ff9cc8a0d2bbd7fec14a3df5b5fc2895ff51e9
Opcode Fuzzy Hash: 10b21deb4cfda85ebc5f73e99ace36e2f9294ca1c0a3fd2d71f538f947573ee4
Instruction Fuzzy Hash: 3DF0AF316813225F9FB3CEA64C916EBA798DB02761F104279EE11E3240D635C94C93A0

Function 00AD3370 Relevance: 9.2, APIs: 6, Instructions: 194windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 00AD33FA
GetClientRect.USER32(?,?), ref: 00AD341B
GetParent.USER32(?), ref: 00AD343B
SendMessageW.USER32(00000000,00000135,?,?), ref: 00AD344B
FillRect.USER32(?,?,00000000), ref: 00AD3459
EndPaint.USER32(?,?), ref: 00AD361C

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: PaintRect$BeginClientFillMessageParentSend
String ID:
API String ID: 732421049-0
Opcode ID: ed3c7f2a1d1ac4607a2e4e8c5f0a0907fd2d00100b9fa8f3aed6236f38996158
Instruction ID: d4a87abc6cc66d39e553f859a7d77b6bcfb2498c8228c1e45a762b7ab43d6c0b
Opcode Fuzzy Hash: ed3c7f2a1d1ac4607a2e4e8c5f0a0907fd2d00100b9fa8f3aed6236f38996158
Instruction Fuzzy Hash: 99913971900218DFDF11CF68D948BADBBB5FF09304F1481AAE80AA7251DB75AE85CF51

Function 00AF5350 Relevance: 9.2, APIs: 6, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AF539A
std::_Lockit::_Lockit.LIBCPMT ref: 00AF53BC
std::_Lockit::~_Lockit.LIBCPMT ref: 00AF53E4
__Getctype.LIBCPMT ref: 00AF54C5
std::_Facet_Register.LIBCPMT ref: 00AF5527
std::_Lockit::~_Lockit.LIBCPMT ref: 00AF555B

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 63a9e88359862cb652a3b1bd01d2509111caaa6b497937f1da4c3d46b16099b2
Instruction ID: aca1f035e445e218e54ba30caead0dc05b006089d96ba1546e9760f196958a38
Opcode Fuzzy Hash: 63a9e88359862cb652a3b1bd01d2509111caaa6b497937f1da4c3d46b16099b2
Instruction Fuzzy Hash: 2161ABB1C00649CFDB11CFA9C9407AAFBB1FF54314F148259EA44AB391E774AA89CF91

Function 00AF5150 Relevance: 9.1, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AF518D
std::_Lockit::_Lockit.LIBCPMT ref: 00AF51AF
std::_Lockit::~_Lockit.LIBCPMT ref: 00AF51D7
__Getcoll.LIBCPMT ref: 00AF52A1
std::_Facet_Register.LIBCPMT ref: 00AF52E6
std::_Lockit::~_Lockit.LIBCPMT ref: 00AF5327

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID:
API String ID: 1184649410-0
Opcode ID: 963cb57ec1c7434df6ef857969d5e1caa35ebe8b707901dfecd36d7e67e7956a
Instruction ID: 9bf67585958967942bb50c14b74360e0f40b77c6d3ae24883c29eedf09ceffa1
Opcode Fuzzy Hash: 963cb57ec1c7434df6ef857969d5e1caa35ebe8b707901dfecd36d7e67e7956a
Instruction Fuzzy Hash: 37518970C00608EFDB01DFA8D984BADBBB4FF50314F244259F955AB291EB74AA09DF91

Function 00CBE16A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CBE161,00CBE124,?,?,00AF230D,00BECD10,?,00000008), ref: 00CBE178
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CBE186
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CBE19F
SetLastError.KERNEL32(00000000,00CBE161,00CBE124,?,?,00AF230D,00BECD10,?,00000008), ref: 00CBE1F1

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 65768bfe6abd540e15d78fbf54e449be9f87c71ae56a4c012df55aa55b82a4cc
Instruction ID: 0131a84a39f557ebf8a0fc983aba9b416fee3e52bd8aaebee4444c6367e64d12
Opcode Fuzzy Hash: 65768bfe6abd540e15d78fbf54e449be9f87c71ae56a4c012df55aa55b82a4cc
Instruction Fuzzy Hash: C301B53210D7615EA724167AEC45BEE275AEB02B74F34422DF834D01E3EE214D02A168

Function 00C308F0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00C30A23
GetForegroundWindow.USER32(?,?,?,?,2E261FC3,00D8F388,00D8F388), ref: 00C30A33

Strings

User accepted to install a newer version., xrefs: 00C30AB8, 00C30ADF, 00C30AE0
User refused to install a newer version., xrefs: 00C30AC1

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Window$ActiveForeground
String ID: User accepted to install a newer version.$User refused to install a newer version.
API String ID: 307657957-4113633398
Opcode ID: cedcf8b2844cb98b81d0c378a2d76f3416c210909cd7342c7a1c733797b15a12
Instruction ID: d2fb679b704ac579c9c31de7dae277c59da21566d399d4327a9e0c174e56c37a
Opcode Fuzzy Hash: cedcf8b2844cb98b81d0c378a2d76f3416c210909cd7342c7a1c733797b15a12
Instruction Fuzzy Hash: 3681E535A002098FCB04DF68C85576EF7F5EF89314F28819DE515A7391DB35AE06CB91

Function 00C27270 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00E02000,2E261FC3,?), ref: 00C272AF
EnterCriticalSection.KERNEL32(?,2E261FC3,?), ref: 00C272BC
OutputDebugStringW.KERNEL32(00C08DF2,?,00000000), ref: 00C27385
LeaveCriticalSection.KERNEL32(?,00000000), ref: 00C27417

Part of subcall function 00ABB010: RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

Strings

Logger::SetLogFile( %s ) while OLD path is:%s, xrefs: 00C27303

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CriticalSection$AllocateDebugEnterHeapInitializeLeaveOutputString
String ID: Logger::SetLogFile( %s ) while OLD path is:%s
API String ID: 117955849-1927537607
Opcode ID: eb4cf7a11e15670100050e843f50dc283e188ca4ae55bd0bee752c912f55a72a
Instruction ID: 45157520acf2717e9fe00b03fccc5e7ee2097b4b0a3b12183829d51a0c3354f3
Opcode Fuzzy Hash: eb4cf7a11e15670100050e843f50dc283e188ca4ae55bd0bee752c912f55a72a
Instruction Fuzzy Hash: 2F510439904259CFCF05DF68D9946AEBBB5FF49310F14429CE811A7392DB359E02CBA0

Function 00AF45F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00AF4642
OpenProcessToken.ADVAPI32(00000000,00000028,00000000), ref: 00AF464F
GetLastError.KERNEL32 ref: 00AF468D
CloseHandle.KERNEL32(00000000), ref: 00AF46C4

Strings

SeShutdownPrivilege, xrefs: 00AF465D

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Process$CloseCurrentErrorHandleLastOpenToken
String ID: SeShutdownPrivilege
API String ID: 2767541406-3733053543
Opcode ID: fc6c6891f5f59bfe9633bc86270e16239087522d62a854bbb2b355feaba19250
Instruction ID: ea0031d4d58f13d95f3c96ccf0e2d64658e083c19d907387023e643a3d8b0b34
Opcode Fuzzy Hash: fc6c6891f5f59bfe9633bc86270e16239087522d62a854bbb2b355feaba19250
Instruction Fuzzy Hash: 68312671A40309AFEB109FA1DD59BEEBBB8FB09714F104129F511F7280DB759904CBA4

Function 00BCA360 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 76libraryloaderwindowCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SetWindowTheme), ref: 00BCA42D
SendMessageW.USER32(?,00001036,00010000,00010000), ref: 00BCA478

Part of subcall function 00CBCAB5: AcquireSRWLockExclusive.KERNEL32(00E00888,?,?,?,00ABB446,00E0149C,2E261FC3,?,?,00CE3F6D,000000FF,?,00C348BD,2E261FC3,?), ref: 00CBCAC0
Part of subcall function 00CBCAB5: ReleaseSRWLockExclusive.KERNEL32(00E00888,?,?,00ABB446,00E0149C,2E261FC3,?,?,00CE3F6D,000000FF,?,00C348BD,2E261FC3,?), ref: 00CBCAFA

Part of subcall function 00BA82D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00BA8312

Part of subcall function 00CBCA64: AcquireSRWLockExclusive.KERNEL32(00E00888,?,?,00ABB4B7,00E0149C,00D47860), ref: 00CBCA6E
Part of subcall function 00CBCA64: ReleaseSRWLockExclusive.KERNEL32(00E00888,?,?,00ABB4B7,00E0149C,00D47860), ref: 00CBCAA1
Part of subcall function 00CBCA64: WakeAllConditionVariable.KERNEL32(00E00884,?,?,00ABB4B7,00E0149C,00D47860), ref: 00CBCAAC

Strings

explorer, xrefs: 00BCA458
UxTheme.dll, xrefs: 00BCA3C1
SetWindowTheme, xrefs: 00BCA422

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$AddressConditionDirectoryMessageProcSendSystemVariableWake
String ID: SetWindowTheme$UxTheme.dll$explorer
API String ID: 1065053019-3123591815
Opcode ID: a9af86cf070344f26305ca14c89390e6a60687946e6fc8497b37f0f16bf4dab4
Instruction ID: 568990783dd18ec7a0eb7eefcb10c87959b1061df5c0f0c1b439db52b9532c75
Opcode Fuzzy Hash: a9af86cf070344f26305ca14c89390e6a60687946e6fc8497b37f0f16bf4dab4
Instruction Fuzzy Hash: 8321DDB1A44745AFC324DF59EC86F8AB7A4E700B20F140269E460B33E0C7717984DBA6

Function 00AD56A0 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 346memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,00000000,?,00000000,2E261FC3), ref: 00AD5766
HeapFree.KERNEL32(00000000,?,00000000,?,00000000,2E261FC3), ref: 00AD576C
GetProcessHeap.KERNEL32(?,00000000), ref: 00AD5905
HeapFree.KERNEL32(00000000,?,00000000), ref: 00AD590B

Strings

#, xrefs: 00AD5A35

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: #
API String ID: 3859560861-1885708031
Opcode ID: 5e557384a5967b7c99cdf0dda011645ec18c8474bf7bec2ba6420b70582f8668
Instruction ID: 1afa87443dbe4530de4ff7efd298bd9e68501652deb3d60409be15068ab188df
Opcode Fuzzy Hash: 5e557384a5967b7c99cdf0dda011645ec18c8474bf7bec2ba6420b70582f8668
Instruction Fuzzy Hash: BED16971E01619CFDB04CFA9C998BEEBBB0FF44324F24426AD816A7390D7755A04DBA0

Function 00ACE520 Relevance: 7.8, APIs: 5, Instructions: 306COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00E01F9C,2E261FC3,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00CE7EB5), ref: 00ACE58A
GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00CE7EB5), ref: 00ACE604

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CriticalEnterFileModuleNameSection
String ID:
API String ID: 764724386-0
Opcode ID: 3cc78cb091a91a57a1916ae77f351e8bcd0e90b48d16c17adcb2a0fedbbd26f3
Instruction ID: 81751798007805feb568d21457949a6a1d98650801d193ad908d58df955bd61d
Opcode Fuzzy Hash: 3cc78cb091a91a57a1916ae77f351e8bcd0e90b48d16c17adcb2a0fedbbd26f3
Instruction Fuzzy Hash: 9CC1A075A00259DFDB11CFA8DC58BAEBBB5BF09304F154099E805EB3A0DB75AD05CBA0

Function 00AD9200 Relevance: 7.7, APIs: 5, Instructions: 238windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000001), ref: 00AD9272
GetParent.USER32(00000001), ref: 00AD929D
SendMessageW.USER32(00000000,00000138,?,00000001), ref: 00AD92AD
FillRect.USER32(?,?,00000000), ref: 00AD92BB
ReleaseDC.USER32(00000001,00000000), ref: 00AD948E

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: FillMessageParentRectReleaseSend
String ID:
API String ID: 2215362955-0
Opcode ID: 705ee9236e77fba67faaef9684c4936b8b7a69d261b35b9ccc11befad87f9c2d
Instruction ID: 14d2bd5bb2c4c1b5c46c4eb2d434b6dd3bc85732e67f41bd0efa9acfccd8afaf
Opcode Fuzzy Hash: 705ee9236e77fba67faaef9684c4936b8b7a69d261b35b9ccc11befad87f9c2d
Instruction Fuzzy Hash: D8916AB1A00619EFDB15CFA5CD44BAEBBB9FF08300F14412AE916E7690D732E955CB90

Function 00BCB290 Relevance: 7.7, APIs: 5, Instructions: 163windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(?,2E261FC3,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00D2335D), ref: 00BCB2C0
GetWindowRect.USER32(?,00000000), ref: 00BCB2E0
IsWindowEnabled.USER32(?), ref: 00BCB311
GetFocus.USER32 ref: 00BCB31F
DeleteDC.GDI32(?), ref: 00BCB45E

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Window$DeleteEnabledFocusRect
String ID:
API String ID: 733580484-0
Opcode ID: db3cb4af881dfc1fed74853a623d87c61f2d769485b7cc50c19a47efedc7cb18
Instruction ID: 198bf88caf1b49c5fdfc522921f42249667723bb8090d9ca6aff37b0bdf98fa0
Opcode Fuzzy Hash: db3cb4af881dfc1fed74853a623d87c61f2d769485b7cc50c19a47efedc7cb18
Instruction Fuzzy Hash: 656113B0A00659EFDB14DFA4C889BEEBBF8FB09300F14416AE415A7290D775A944CB65

Function 00AC8AB0 Relevance: 7.6, APIs: 5, Instructions: 132windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00AC8B0F
GetDlgItem.USER32(?,?), ref: 00AC8B34
SendMessageW.USER32(?,?,?,?), ref: 00AC8C08

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ItemMessageSendWindow
String ID:
API String ID: 799199299-0
Opcode ID: af0e6a8a996e4fad39935d037816689117dc7536ca2a8e8eb6e579ddea3c9fe7
Instruction ID: 744b867452d958bf139b85f7808e76662bb40862746cf5b5b2ed028e696a04a6
Opcode Fuzzy Hash: af0e6a8a996e4fad39935d037816689117dc7536ca2a8e8eb6e579ddea3c9fe7
Instruction Fuzzy Hash: 3D41F1B22042059FD7198F18DC98F6AB7B9FB88311F06492EE046D71A0CF2AED50DB20

Function 00ACED60 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00ACEE3C
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00ACEE4B
ReleaseDC.USER32(00000000), ref: 00ACEE92

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-0
Opcode ID: e0a7730101374559bf5f85d1ed8575d03f0b0c048795e4ddbf24698d52d30ddc
Instruction ID: 355a54a571e123970527d6de30087c4b376ee11a37e0a1c955e6aee863ddeac3
Opcode Fuzzy Hash: e0a7730101374559bf5f85d1ed8575d03f0b0c048795e4ddbf24698d52d30ddc
Instruction Fuzzy Hash: D75106B5A00349EFDB10DFA5C848BAA7BF8FF08350F144529F956E7290D7359944CB61

Function 00AD2860 Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000FC,00000000), ref: 00AD28B6
GetClientRect.USER32(?,00000000), ref: 00AD28DC
GetParent.USER32(?), ref: 00AD28EA

Part of subcall function 00CBC189: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00C1C8C1,?,?,?), ref: 00CBC18E
Part of subcall function 00CBC189: HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00CBC195

SetWindowLongW.USER32(?,000000EB), ref: 00AD292B
ShowWindow.USER32(?,00000000), ref: 00AD294D

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Window$HeapLong$AllocClientParentProcessRectShow
String ID:
API String ID: 3563161840-0
Opcode ID: 316ff61069960a745808ec26edf8c2651aea16004f959d8406281872f70735b0
Instruction ID: e21ede93bc8ef549fe8ae2d72b120cf3141c7e5e9b0b0e8dcbee26f3858934c7
Opcode Fuzzy Hash: 316ff61069960a745808ec26edf8c2651aea16004f959d8406281872f70735b0
Instruction Fuzzy Hash: 53317E756003149FDB04AF29DC94A6EBBE9FF99310B44416AFC06E7352DB24DD04DBA2

Function 00BEAA30 Relevance: 7.6, APIs: 6, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,80004005,BEA8A700), ref: 00BEAA42
LocalFree.KERNEL32(?,80004005,BEA8A700), ref: 00BEAA56
GetLastError.KERNEL32 ref: 00BEAA98
LocalAlloc.KERNEL32(00000040,00000014), ref: 00BEAAD8
GetLastError.KERNEL32 ref: 00BEAAF2
LocalFree.KERNEL32(?), ref: 00BEAB03

Part of subcall function 00ABB010: RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Local$Free$ErrorLast$AllocAllocateHeap
String ID:
API String ID: 1027944315-0
Opcode ID: f5e09fde0f8e881fea6824e5fc5f0af6a75919415b2cb009e6f69ae29db15f21
Instruction ID: b8831482d42511aba31ba7a9683e85033ee27bb333608ff83aa56f4a9007141e
Opcode Fuzzy Hash: f5e09fde0f8e881fea6824e5fc5f0af6a75919415b2cb009e6f69ae29db15f21
Instruction Fuzzy Hash: 5F313774600305AFD720DF7AD948B97BBE8FF48701F04896DE986D2650E774E848CB62

Function 00AC2680 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC26CA
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00AC26D0
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 00AC26F3
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00CE5A96,000000FF), ref: 00AC271B
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,00CE5A96,000000FF), ref: 00AC2721

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Heap$FreeProcess$FormatMessage
String ID:
API String ID: 1606019998-0
Opcode ID: e71cce238f59f5b5b93c40be247e304d169739d916b1379c2525702e46913cce
Instruction ID: e87b64f5dd912814c4db7b97e91df978c4b08f685a1a4382a82d6a9cb4fcb562
Opcode Fuzzy Hash: e71cce238f59f5b5b93c40be247e304d169739d916b1379c2525702e46913cce
Instruction Fuzzy Hash: AC118FF1A44219ABEB00DF94CD06FAFBBBCEB04B44F104519F910BB2C1DBB59A0487A0

Function 00C2F000 Relevance: 7.6, APIs: 5, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00C2F000,80000000,00000000,00000000,00000003,00000080,00000000,2E261FC3,?,00C2F000), ref: 00C2F03C
GetLastError.KERNEL32 ref: 00C2F05A
ReadFile.KERNEL32(00000000,2E261FC3,00000004,00C2F000,00000000), ref: 00C2F070
GetLastError.KERNEL32 ref: 00C2F07A
CloseHandle.KERNEL32(00000000), ref: 00C2F099

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID:
API String ID: 3160720760-0
Opcode ID: e5dfad9c8a85ff207783ebe89a6797b87f692259d539ff4461b93b4ddc41ba8d
Instruction ID: df38ce7af50d3739985f0a9715141d98167be79a8f07051d95c55c598979237a
Opcode Fuzzy Hash: e5dfad9c8a85ff207783ebe89a6797b87f692259d539ff4461b93b4ddc41ba8d
Instruction Fuzzy Hash: 49118675A00319FFD7209F95ED05B6ABBB8EB45B20F10422AFA11F67D0D7755A018BA0

Function 00ADE040 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00ADE04A
SendMessageW.USER32(?,?,?,0000102B), ref: 00ADE0A1
SendMessageW.USER32(?,?,?,0000102B), ref: 00ADE0F4
SendMessageW.USER32(?,00001043,00000000,00000000), ref: 00ADE109
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00ADE11A

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 383d921a1fdd743f5d3f3c022087aff4079d642bdd063984b74bcacc3ab2c377
Instruction ID: 40c7af4a60f2011062f54d720426dabefab01dedecaa3b799418b6bb43bd7105
Opcode Fuzzy Hash: 383d921a1fdd743f5d3f3c022087aff4079d642bdd063984b74bcacc3ab2c377
Instruction Fuzzy Hash: DD213E31918386ABD320CF51CD45B1ABBE5BFDD718F206B1EF180211A4E7B295848A86

Function 00AEA6D0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 310windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,RichEdit20W,?,?,00000000,80000000,00000000,00000000,00000000,00000000,00000000), ref: 00AEA8AB
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00AEA8BA
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00AEA8C6

Part of subcall function 00ABB010: RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

Strings

RichEdit20W, xrefs: 00AEA8A3

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: MessageSend$AllocateCreateHeapWindow
String ID: RichEdit20W
API String ID: 2359350451-4173859555
Opcode ID: 391c635a10fb8a86b94b5ba968f61fb03239a47726cd31c3e70510296157855b
Instruction ID: 361436d11954a47466c8190dbafbe973526a63367eb2612032cc83fbdad3527a
Opcode Fuzzy Hash: 391c635a10fb8a86b94b5ba968f61fb03239a47726cd31c3e70510296157855b
Instruction Fuzzy Hash: 8DC1A834E002189FCB04DFAAC894BAEBBB5EF49310F14416AE911E7391DB71AD05CBA4

Function 00C28320 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 00C3D670: SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,80000002,80000002,00E02000), ref: 00C3D680
Part of subcall function 00C3D670: LoadLibraryW.KERNEL32(Shell32.dll,?,80000002,80000002,00E02000), ref: 00C3D693
Part of subcall function 00C3D670: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00C3D6A3

PathFileExistsW.SHLWAPI(?,ADVINST_LOGS,0000000C,00E02000), ref: 00C28416

Part of subcall function 00ABB010: RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

Strings

Everyone, xrefs: 00C28439
ADVINST_LOGS, xrefs: 00C28409

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AddressAllocateExistsFileFolderHeapLibraryLoadLocationPathProcSpecial
String ID: ADVINST_LOGS$Everyone
API String ID: 3321256476-3921853867
Opcode ID: 301c0e9acb03578e851691ba8ea52f57e3f1b86127969f8384a0e5a864ab8781
Instruction ID: 0bbc87b961a0754d3c4cc51db55e8a3d0d8c56fc66bdfc7c405863a92daa6d9e
Opcode Fuzzy Hash: 301c0e9acb03578e851691ba8ea52f57e3f1b86127969f8384a0e5a864ab8781
Instruction Fuzzy Hash: D3A1DF71D02218DFDB00DFA8D959BAEBBB4EF54324F244158E811AB3D1DB356E09CBA1

Function 00AE4A10 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 234windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ABB010: RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

Part of subcall function 00BC9EB0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,00000000,?,00ADD5B8,?,80004005,?), ref: 00BC9F3A
Part of subcall function 00BC9EB0: RedrawWindow.USER32(?,00000000,00000000,00000541,?,?,?,00000000,?,00ADD5B8,?,80004005,?), ref: 00BC9F4B
Part of subcall function 00BC9EB0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BC9F74

SendMessageW.USER32(?,00001036,00000004,00000004), ref: 00AE4BE1
SendMessageW.USER32(?,00001036,00000400,00000400), ref: 00AE4BFC
SendMessageW.USER32(?,00001061,00000000,?), ref: 00AE4C5C

Strings

QuickSelectionList, xrefs: 00AE4AF8, 00AE4B0A, 00AE4B14

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: MessageSend$Window$AllocateHeapRedraw
String ID: QuickSelectionList
API String ID: 884508843-3633591268
Opcode ID: 203885d38e0ebc8f74dff241eae96c2487e4c758f56878da0801ec74ad09931d
Instruction ID: 111b1b99b6efc1e4a3ba6f9a8f235dffb36a6e80c0be1382e735356b33efa786
Opcode Fuzzy Hash: 203885d38e0ebc8f74dff241eae96c2487e4c758f56878da0801ec74ad09931d
Instruction Fuzzy Hash: 0A81AC75A003099FCB04DF65C884BAEBBF9FF88324F14456AF915A7391DB74A904CBA1

Function 00C3D400 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C3D431
CoCreateInstance.COMBASE(00D922F8,00000000,00000001,00D92308,00000000), ref: 00C3D461
CoUninitialize.COMBASE ref: 00C3D64B

Strings

{374DE290-123F-4565-9164-39C4925E467B}, xrefs: 00C3D4AD

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: {374DE290-123F-4565-9164-39C4925E467B}
API String ID: 948891078-4280329633
Opcode ID: 7406b7abc5c4a1790b1c3d1a6860d3c6de6a78700de8c2f8ff88098f130f1ab2
Instruction ID: 76f1eae3c67f0443ea70a1e2f6a3aef86cd115d37bca85bf848a0cdf6379c989
Opcode Fuzzy Hash: 7406b7abc5c4a1790b1c3d1a6860d3c6de6a78700de8c2f8ff88098f130f1ab2
Instruction Fuzzy Hash: D671E2B0A102199FDF10DF64E855BEEBBB4FF09704F044159E852B7390EB749A49CBA1

Function 00C28800 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,2E261FC3,?,80000002,80000002), ref: 00C28853
CloseHandle.KERNEL32(?,2E261FC3,80000002,?,00000000,00D33053,000000FF,?,80004005,?,80000002), ref: 00C289F0
CloseHandle.KERNEL32(00000000,2E261FC3,80000002,?,00000000,00D33053,000000FF,?,80004005,?,80000002), ref: 00C28A1F

Strings

LOG, xrefs: 00C288C7

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: LOG
API String ID: 3884789274-429402703
Opcode ID: bc406577631214f0c8c8c4505f4c6c00008d5e695923dd007609e19b9e75040a
Instruction ID: 1d2e15e491715d48a32e548bb4094fdedb6847d7699245171e6c755f7c356e95
Opcode Fuzzy Hash: bc406577631214f0c8c8c4505f4c6c00008d5e695923dd007609e19b9e75040a
Instruction Fuzzy Hash: DB61E275A01318DFDB24DF28D8447AAB7F5FF44710F548629E81ADBB81EB749A08CB90

Function 00AC2A60 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00AC2AA4
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00AC2AAA

Strings

RoOriginateLanguageException, xrefs: 00AC2A9A
combase.dll, xrefs: 00AC2A9F

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 2574300362-3996158991
Opcode ID: 43cbacbda577691eeed49c7784399a4c3537994feabb133cf6fe404ab714ad63
Instruction ID: fc1029014207037d877841ad281705752b1d1bd463f97a4455b0cc31ac27c9c6
Opcode Fuzzy Hash: 43cbacbda577691eeed49c7784399a4c3537994feabb133cf6fe404ab714ad63
Instruction Fuzzy Hash: 71316A71900219DFCB20DFA8C905BEEBBB4FB44754F11426EE815A72D0DBB55A48CBA1

Function 00BF7340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBCAB5: AcquireSRWLockExclusive.KERNEL32(00E00888,?,?,?,00ABB446,00E0149C,2E261FC3,?,?,00CE3F6D,000000FF,?,00C348BD,2E261FC3,?), ref: 00CBCAC0
Part of subcall function 00CBCAB5: ReleaseSRWLockExclusive.KERNEL32(00E00888,?,?,00ABB446,00E0149C,2E261FC3,?,?,00CE3F6D,000000FF,?,00C348BD,2E261FC3,?), ref: 00CBCAFA

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 00BF739E
GetProcAddress.KERNEL32(00000000), ref: 00BF73A5

Part of subcall function 00CBCA64: AcquireSRWLockExclusive.KERNEL32(00E00888,?,?,00ABB4B7,00E0149C,00D47860), ref: 00CBCA6E
Part of subcall function 00CBCA64: ReleaseSRWLockExclusive.KERNEL32(00E00888,?,?,00ABB4B7,00E0149C,00D47860), ref: 00CBCAA1
Part of subcall function 00CBCA64: WakeAllConditionVariable.KERNEL32(00E00884,?,?,00ABB4B7,00E0149C,00D47860), ref: 00CBCAAC

Strings

Dbghelp.dll, xrefs: 00BF7399
SymFromAddr, xrefs: 00BF7394

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$AddressConditionLibraryLoadProcVariableWake
String ID: Dbghelp.dll$SymFromAddr
API String ID: 1702099962-642441706
Opcode ID: dba191a1a4e79b9fc66e873a35f2c09bb835d13effc69f828b0440f172ad82cd
Instruction ID: 7249bd9df7a973e750de914290ec900c78112edbef8d3467a7612a19fc9a2c30
Opcode Fuzzy Hash: dba191a1a4e79b9fc66e873a35f2c09bb835d13effc69f828b0440f172ad82cd
Instruction Fuzzy Hash: 3001DAB0A48345EFC310CF98EC85B1AB7B4E309B24F0003A9E921A37D0CB756A48DB20

Function 00CC123C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,00CC11ED,00000000,00000001,00E00C18,?,?,?,00CC1390,00000004,InitializeCriticalSectionEx,00D6ED14,InitializeCriticalSectionEx), ref: 00CC1249
GetLastError.KERNEL32(?,00CC11ED,00000000,00000001,00E00C18,?,?,?,00CC1390,00000004,InitializeCriticalSectionEx,00D6ED14,InitializeCriticalSectionEx,00000000,?,00CC153D), ref: 00CC1253
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00CC03C3), ref: 00CC127B

Strings

api-ms-, xrefs: 00CC1260

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 4e75c80f0bef4c5d0a6d20f532d94a44785b79652be84568b22185c59995775f
Instruction ID: 8951546cd59dbe6925a77ec3a422e7369ddd1fc4eed2c77aa2dde16f6d8c4fba
Opcode Fuzzy Hash: 4e75c80f0bef4c5d0a6d20f532d94a44785b79652be84568b22185c59995775f
Instruction Fuzzy Hash: F2E04F75680304FBFF501FA3EC06F1A7B59AB02B40F148028FD1CE81E2D761DA209A65

Function 00ADD3E0 Relevance: 6.3, APIs: 4, Instructions: 337windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001037,00000000,00000000), ref: 00ADD55D
SendMessageW.USER32(?,00001036,00000000,00000000), ref: 00ADD576

Part of subcall function 00ABB010: RtlAllocateHeap.NTDLL(?,00000000,?,2E261FC3,00000000,00CE39F0,000000FF,?,?,00DF843C,?,?,00C34927,80004005,2E261FC3,?), ref: 00ABB05A

Part of subcall function 00BC9EB0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,00000000,?,00ADD5B8,?,80004005,?), ref: 00BC9F3A
Part of subcall function 00BC9EB0: RedrawWindow.USER32(?,00000000,00000000,00000541,?,?,?,00000000,?,00ADD5B8,?,80004005,?), ref: 00BC9F4B
Part of subcall function 00BC9EB0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BC9F74

SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00ADD6B3
SendMessageW.USER32(?,00001061,00000000,00000005), ref: 00ADD7AF

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: MessageSend$Window$AllocateHeapRedraw
String ID:
API String ID: 884508843-0
Opcode ID: 930ea4b0dd44ddf8ac63043fdc65cf70106ab629bad6f8191d2c729b118de1f0
Instruction ID: 87a3abb11d4dda3045322e443716ff333e1c3438a058e7d59506e896eda437dd
Opcode Fuzzy Hash: 930ea4b0dd44ddf8ac63043fdc65cf70106ab629bad6f8191d2c729b118de1f0
Instruction Fuzzy Hash: 04D17C71A00209AFDB14DFA8C994BEEFBB5FF48314F14421AE416A7390DB75A944CFA0

Function 00AE7060 Relevance: 6.3, APIs: 4, Instructions: 279windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000001,0000110A,00000004,?), ref: 00AE7161
SendMessageW.USER32(00000001,0000110A,00000001,00000000), ref: 00AE7196
SendMessageW.USER32(?,0000110A,00000004,?), ref: 00AE7352
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00AE7378

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2d1c7921778d5a5ca4bc9b71c7b3338ee7a3cc81ce512161dd8ec19a34e66b0c
Instruction ID: 03ad5adabc93eb187458613b4679202b801d9d3bf6cbc02583187bea6e10c494
Opcode Fuzzy Hash: 2d1c7921778d5a5ca4bc9b71c7b3338ee7a3cc81ce512161dd8ec19a34e66b0c
Instruction Fuzzy Hash: 56B1BC71A04249DFCB15CF6AD894AEEBBF5FF48310F1441A9E806AB291DB30EC45CB90

Function 00BFEB70 Relevance: 6.2, APIs: 4, Instructions: 233COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00BFED07
GetForegroundWindow.USER32(?,00000000,00D2B31D,000000FF,?,00C08009), ref: 00BFED17
OutputDebugStringW.KERNEL32(?,2E261FC3,00000000,00000000,00000000,?,00000000,00D2B31D,000000FF,?,00C08009,?), ref: 00BFEDB8
SetForegroundWindow.USER32(00000000), ref: 00BFED4F

Part of subcall function 00ABB3A0: GetProcessHeap.KERNEL32 ref: 00ABB3F5

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Window$Foreground$ActiveDebugHeapOutputProcessString
String ID:
API String ID: 799693181-0
Opcode ID: 58eaa6afe8ce9c518842a943499bc1a11159e14ced07b75b34b1f6dc0670e11b
Instruction ID: 675b01d340f8be4b1c8c604d78d883669d0b6119132ee08bd9f02364211109a9
Opcode Fuzzy Hash: 58eaa6afe8ce9c518842a943499bc1a11159e14ced07b75b34b1f6dc0670e11b
Instruction Fuzzy Hash: EB71F7799002098FCB14DF68C8556BEBBF6FF89310F18419DE915A7391DB35AD06CBA0

Function 00ADE270 Relevance: 6.2, APIs: 4, Instructions: 222COMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 00ADE381
IsWindowEnabled.USER32(?), ref: 00ADE3D7
CopyRect.USER32(00000000,?), ref: 00ADE441
IsWindowEnabled.USER32(?), ref: 00ADE45A

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: EnabledWindow$CopyRect
String ID:
API String ID: 2919275910-0
Opcode ID: e8c0bccac70b95136772158f8a586d9c79d254339f298973ad91ae40ca31b6ac
Instruction ID: 8e999459158ac2df01f3145e53ad3afaa0369969afcce2fcbdf495d15f2f2b4f
Opcode Fuzzy Hash: e8c0bccac70b95136772158f8a586d9c79d254339f298973ad91ae40ca31b6ac
Instruction Fuzzy Hash: 78819275A002189FDB14DF69C898BADBBF5FB89310F148169E812EB390CB75AC05CF64

Function 00BD9210 Relevance: 6.2, APIs: 4, Instructions: 217COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(00E01FBC,2E261FC3,00DF8AB8,0553FD28,?,00E01FAC,00DF8AB8,00CE3E70,000000FF,?,00BD946F), ref: 00BD92B2
EnterCriticalSection.KERNEL32(00E01F9C,2E261FC3), ref: 00BD932F
DestroyWindow.USER32(00000000), ref: 00BD934D
LeaveCriticalSection.KERNEL32(00E01F9C), ref: 00BD9396

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CriticalSection$DeleteDestroyEnterLeaveWindow
String ID:
API String ID: 307358592-0
Opcode ID: cdc953358f4e8e4401fd5999c54733eda1183135818e354c68af3e4ad61a3f05
Instruction ID: 58094bd078b0bbbf33a550ef11e641489084ce13f6f8b04177b481c9344bdbc6
Opcode Fuzzy Hash: cdc953358f4e8e4401fd5999c54733eda1183135818e354c68af3e4ad61a3f05
Instruction Fuzzy Hash: 0A718D71A00615DBDB20CF65D844B5AFBF8EF45B10F0441AAE819AB390E775A804CBA1

Function 00C121A0 Relevance: 6.2, APIs: 4, Instructions: 184COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00C0CCE2,00000000,?,00000000,00000000,?,00000000,?,?,?,00C0CCE2,?,00000003), ref: 00C1226D
GetLastError.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,00C0CCE2,?,00000003,00000009,2E261FC3,00000000), ref: 00C1227E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00C0CCE2,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00C1229F
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00C0CCE2,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00C122F1

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e1f10228fa34870364d846e8b51f2e7387ec47a44c18f86a6df910813c6a5ae0
Instruction ID: aa0464f07608e5742b541772a550bff4c4a770f45c65b4b31e5803fd04e0068f
Opcode Fuzzy Hash: e1f10228fa34870364d846e8b51f2e7387ec47a44c18f86a6df910813c6a5ae0
Instruction Fuzzy Hash: 7F516B75600304ABD7209B64CC42FEBB39CFF46710F20452DF955E6291EBB6DAA0B761

Function 00AD1290 Relevance: 6.2, APIs: 4, Instructions: 180memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00AD13D8
SysAllocString.OLEAUT32(00000000), ref: 00AD13EF
VariantClear.OLEAUT32(?), ref: 00AD140B
VariantClear.OLEAUT32(?), ref: 00AD1440

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ClearVariant$AllocString
String ID:
API String ID: 2502263055-0
Opcode ID: 6aea3ce564234c35067dd550777d496419071280e0d1eb35d63a1f09990791ef
Instruction ID: f53bfcd1a15ada76c5e9b068fe7784af4ef18d48399b16c42c079a321af7c3a6
Opcode Fuzzy Hash: 6aea3ce564234c35067dd550777d496419071280e0d1eb35d63a1f09990791ef
Instruction Fuzzy Hash: 8B5170B5A00258AFDB20CF64CC44B9DB7B8EF48714F1445AAE91AE7351DB31AD808B98

Function 00C06E40 Relevance: 6.2, APIs: 4, Instructions: 174COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 00C06EA2
GetShortPathNameW.KERNEL32(?,?,?), ref: 00C06F21
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00C06F71
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,00000000,00000000), ref: 00C06FA7

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ByteCharMultiNamePathShortWide
String ID:
API String ID: 3379522384-0
Opcode ID: 71c1a0ad371e704222e5a09f9e6d6d8fbab211db865cdcc7b1164efbffb211e1
Instruction ID: 27f8078641bb440928d99599e03e87efed52fcd67faa7114c523293828d5db73
Opcode Fuzzy Hash: 71c1a0ad371e704222e5a09f9e6d6d8fbab211db865cdcc7b1164efbffb211e1
Instruction Fuzzy Hash: 7951AA71A04216AFD704DFA8DC89B6EF7A9EF44324F104629F9259B3D0DB31A900CBA0

Function 00AEA950 Relevance: 6.1, APIs: 4, Instructions: 113windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000C5,?,00000000), ref: 00AEA99B
GetClientRect.USER32(?,?), ref: 00AEA9D5
GetDC.USER32(?), ref: 00AEA9EC
GetDeviceCaps.GDI32(00000000), ref: 00AEA9F3

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CapsClientDeviceMessageRectSend
String ID:
API String ID: 3507044913-0
Opcode ID: 8069d59d20363b9c7f61cd0287a5fbf4411a5e535268fcb7e2a77f97d5a76839
Instruction ID: 417d1c046dd884af93875a806c3c0c9d2d359cc18cda10ae79754f6035f0642d
Opcode Fuzzy Hash: 8069d59d20363b9c7f61cd0287a5fbf4411a5e535268fcb7e2a77f97d5a76839
Instruction Fuzzy Hash: 3441BF316043459FD711DF35CC49F9ABBE8FF89300F044629F54AA72A0DB71A955CB52

Function 00AC8900 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00AC89E2
IsChild.USER32(?,00000000), ref: 00AC89EC
GetWindow.USER32(?,00000005), ref: 00AC89FB
SetFocus.USER32(00000000), ref: 00AC8A02

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Focus$ChildWindow
String ID:
API String ID: 501040988-0
Opcode ID: 11a58200cc71a06fb48da8f9ecf39d540dab953c48da57cd9ed06ce9e8efb450
Instruction ID: 20c2eeb3639c0adec3bdd8c7030e5bc122515109b0fbe837c3e63d8a1ba397f9
Opcode Fuzzy Hash: 11a58200cc71a06fb48da8f9ecf39d540dab953c48da57cd9ed06ce9e8efb450
Instruction Fuzzy Hash: 50316B71600619AFDB14CF24DC59B6ABBB9FB09710F11421EE815E73A0DF79AC04CB90

Function 00AD4590 Relevance: 6.1, APIs: 4, Instructions: 60windowCOMMON

Download Yara Rule

APIs

BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 00AD45E1
SelectObject.GDI32(?,?), ref: 00AD45EC
DeleteObject.GDI32(?), ref: 00AD45FE
DeleteDC.GDI32(?), ref: 00AD4623

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: DeleteObject$Select
String ID:
API String ID: 207189511-0
Opcode ID: 63a73a3490546971b9f795bd2c934461ba7cca09f17daf8ede0f65b02b319bd4
Instruction ID: 414d8c769ff7faa6bc32e70e96a38e9d9488f0d584c58ab8de49714b4519838c
Opcode Fuzzy Hash: 63a73a3490546971b9f795bd2c934461ba7cca09f17daf8ede0f65b02b319bd4
Instruction Fuzzy Hash: C7114CB1601606BFD710CF6ADC08F6AFBB9FB49720F144229E815D3690DB75E960CBA0

Function 00AD4640 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 00AD469B
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00AD46B4
SelectObject.GDI32(?,00000000), ref: 00AD46C0
SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 00AD46D9

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CompatibleCreate$BitmapObjectSelectViewport
String ID:
API String ID: 1881423421-0
Opcode ID: dd3e909cceeaa49327cf65a59b7c5e1671f5e24fc7e0da7476a9f8742ad409c7
Instruction ID: 1942d1a69ef1692455787d418872332d98c924aabf377d843c5eb254735c511b
Opcode Fuzzy Hash: dd3e909cceeaa49327cf65a59b7c5e1671f5e24fc7e0da7476a9f8742ad409c7
Instruction Fuzzy Hash: DA21F9B5504B08EFD720CF59C944B66BBF9FB08710F108A1DE89697790D775A944CB90

Function 00ACC5A0 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00ACC5CB
BitBlt.GDI32(00000000,?,?,?,00000000,?,00000000,00000000,00CC0020), ref: 00ACC5F6
DeleteDC.GDI32(?), ref: 00ACC5FD
ReleaseDC.USER32(?,?), ref: 00ACC60A

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ClientDeleteRectRelease
String ID:
API String ID: 2015589292-0
Opcode ID: ffaed4621ec4a98677a856165d5fce3297715494d4362ae151f4184d8b253230
Instruction ID: 8ccd869faa92192e1a7300ca0214dd8da8bf8e0f76e7948f02e34056e417e948
Opcode Fuzzy Hash: ffaed4621ec4a98677a856165d5fce3297715494d4362ae151f4184d8b253230
Instruction Fuzzy Hash: 3C0117B2204305AFD304DF29CC89F2BBBE9FB8C310F444528F54592661D771E858CBA2

Function 00CBA1E4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CBA1EB
std::_Lockit::_Lockit.LIBCPMT ref: 00CBA1F6
std::_Lockit::~_Lockit.LIBCPMT ref: 00CBA264

Part of subcall function 00CBA347: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00CBA35F

std::locale::_Setgloballocale.LIBCPMT ref: 00CBA211

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: a8c6168e133c42d94e006b0676089e77ae7b66cba651b2820c456ce5c5457a9a
Instruction ID: b4658df2256e8813c07e1b6fee3bd669c76d4c308aba846c3228455c797ac7ac
Opcode Fuzzy Hash: a8c6168e133c42d94e006b0676089e77ae7b66cba651b2820c456ce5c5457a9a
Instruction Fuzzy Hash: 1801DB75A002608FCB06EF21DC55ABD7BA1BF85740F140008E84267391CF34AE4ADF92

Function 00AC0FB0 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00AC0FC0

Part of subcall function 00CB9E8C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,00AC0FD6,?,00000000,00000000), ref: 00CB9E98
Part of subcall function 00CB9E8C: GetExitCodeThread.KERNEL32(?,00000000,?,?,?,00AC0FD6,?,00000000,00000000), ref: 00CB9EB1
Part of subcall function 00CB9E8C: CloseHandle.KERNEL32(?,?,?,?,00AC0FD6,?,00000000,00000000), ref: 00CB9EC3

std::_Throw_Cpp_error.LIBCPMT ref: 00AC0FE9
std::_Throw_Cpp_error.LIBCPMT ref: 00AC0FF0
std::_Throw_Cpp_error.LIBCPMT ref: 00AC0FF7

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Thread$CloseCodeCurrentExitHandleObjectSingleWait
String ID:
API String ID: 2210105531-0
Opcode ID: 6fb22d19f6b2abff4ee538840f9c608cce0a247cc0b78a4f338af210329b407e
Instruction ID: 5a909bac3044fa590185c0affe17f57c6065f01a2ff55a5f6d021b364f963fce
Opcode Fuzzy Hash: 6fb22d19f6b2abff4ee538840f9c608cce0a247cc0b78a4f338af210329b407e
Instruction Fuzzy Hash: 14F08235451748DBD734ABA89D07F96B3D8DB04F11F00856DB7B88A4C1EAB1E580DA93

Function 00BE8F10 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00BE90F6

Strings

ios_base::failbit set, xrefs: 00BE91D2
iostream, xrefs: 00BE92D0

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: ___std_exception_copy
String ID: ios_base::failbit set$iostream
API String ID: 2659868963-302468714
Opcode ID: 5d1b8310e6d618da259a1a02155e2f5f5d5b287793bc205d62516ab258f7d727
Instruction ID: 0bb38226d5457c925ecc4f10cfd4aab87f6fcef439b96d16c75d0cbfe644d8dd
Opcode Fuzzy Hash: 5d1b8310e6d618da259a1a02155e2f5f5d5b287793bc205d62516ab258f7d727
Instruction Fuzzy Hash: 17C18CB1D00258DFDB10DFA9C884BAEFBB5FF48314F24825AE825AB382D7745945CB91

Function 00BDF010 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,2E261FC3), ref: 00BDF0B2

Strings

\\?\, xrefs: 00BDF1AF, 00BDF1DA
\\?\UNC\, xrefs: 00BDF0D9, 00BDF13A

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: 2bb6847aa57ba4096e2d12abc3c7f500b6a263f0c0020b69e8db99c664d85e37
Instruction ID: f99285d141c62a8903229703a9089e838fff2b70c68594d55becdf0ee0ab5d26
Opcode Fuzzy Hash: 2bb6847aa57ba4096e2d12abc3c7f500b6a263f0c0020b69e8db99c664d85e37
Instruction Fuzzy Hash: 80518EB0D042059BDB24DF68C845BBEFBF5EF55308F10866AD816A7341E7B16A48CBA1

Function 00C28640 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,80000002,2E261FC3,?,80000002,00E02000), ref: 00C2867F
CreateDirectoryW.KERNEL32(80000002,00000000,?,80000002,00E02000), ref: 00C286E0

Strings

ADVINST_LOGS, xrefs: 00C286B8

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: CreateDirectoryPathTemp
String ID: ADVINST_LOGS
API String ID: 2885754953-2492584244
Opcode ID: 80c3138ea498a8d753351147f81b3888f162da3504da308129df3e32836a61e0
Instruction ID: 015d0611fa611c06ab336d229c795a241094c8c298a39acf14f91427633af0ef
Opcode Fuzzy Hash: 80c3138ea498a8d753351147f81b3888f162da3504da308129df3e32836a61e0
Instruction Fuzzy Hash: 5451C379901229CBCB209F28D8447BAB3F4FF14B14F2445AEE869D7690EF745E85CB90

Function 00BF6CF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,2E261FC3,00D8C950), ref: 00BF6D5C
LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 00BF6E53

Part of subcall function 00BE2D50: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00BE2DFA

Strings

Failed to get Windows error message [win32 error 0x, xrefs: 00BF6D7A

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: FormatFreeIos_base_dtorLocalMessagestd::ios_base::_
String ID: Failed to get Windows error message [win32 error 0x
API String ID: 201254970-3373098694
Opcode ID: b0f84baee3d4285aab8449adc8f785133656646010e77de318a1966cf4c89d0b
Instruction ID: f7fe4ec7aceb013099c4b33badd0738ca7fa7b5619d848903b1f3c05b2677faf
Opcode Fuzzy Hash: b0f84baee3d4285aab8449adc8f785133656646010e77de318a1966cf4c89d0b
Instruction Fuzzy Hash: A041A175A003099BDB10DF68C945BAFBBF9EF44714F108199E904A72D1DBB4AA48CBE1

Function 00AFD200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AFD22B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AFD28E

Strings

bad locale name, xrefs: 00AFD2B1

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 096895662d66f08dbe9d8bb8985836b9c7b7483e63846e24f92f88124ef16a93
Instruction ID: ba94a784270e1f6111a63a5b20b82096c66e915cb8aaefdf51b8a66e205b1997
Opcode Fuzzy Hash: 096895662d66f08dbe9d8bb8985836b9c7b7483e63846e24f92f88124ef16a93
Instruction Fuzzy Hash: 2621FF70A05784DFD721CFA8C804B9ABBE4AF15314F14869DE489D7B81D3B9EA04CBA1

Function 00ADE6F9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetParent.USER32(0000000F), ref: 00ADE72C

Strings

Unknown exception, xrefs: 00ADE701
C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00ADE711

Memory Dump Source

Source File: 00000000.00000002.2054540460.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.2054516381.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054737812.0000000000D49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054805448.0000000000DFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054830591.0000000000DFF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054854003.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054961330.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_e-SPT Masa PPh.jbxd

Similarity

API ID: Parent
String ID: C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
API String ID: 975332729-9186675
Opcode ID: c1a8017cf26e36c6f12d57ecd9b5afdbd64eb14e49875459e32b9f58c5f3f538
Instruction ID: e77521efa2386582fbd8ab62f5a9dd5572095762aab9159ae48869feef0efefc
Opcode Fuzzy Hash: c1a8017cf26e36c6f12d57ecd9b5afdbd64eb14e49875459e32b9f58c5f3f538
Instruction Fuzzy Hash: E901FB30D0528CEEDB01E7E8CA557DDBFB5AF15304F548098E0457B382DBB9AA48D792

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report e-SPT Masa PPh.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\3df3be.rbs

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGXlong.sys

C:\Program Files (x86)\IkCWSTWLLRQX\7z.dll

C:\Program Files (x86)\IkCWSTWLLRQX\FNCUNPTNLBMW.DNA

C:\Program Files (x86)\IkCWSTWLLRQX\Gme.dll

C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi.dll

C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi64.dll

C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll

C:\Program Files (x86)\IkCWSTWLLRQX\Hamster.dll

C:\Program Files (x86)\IkCWSTWLLRQX\HipsLogCenter.dll

C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon.dll

C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon64.dll

C:\Program Files (x86)\IkCWSTWLLRQX\ImAVEng.dll

C:\Program Files (x86)\IkCWSTWLLRQX\KKVIOQVTEUTA.OKO

C:\Program Files (x86)\IkCWSTWLLRQX\LJBPHRBSRLCI.FNG

Windows Analysis Report
e-SPT Masa PPh.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre